[llvm] r226986 - [Bitcode] Diagnose errors instead of asserting from bad input

Filipe Cabecinhas me at filcab.net
Fri Jan 23 20:15:06 PST 2015 

Author: filcab
Date: Fri Jan 23 22:15:05 2015
New Revision: 226986

URL: http://llvm.org/viewvc/llvm-project?rev=226986&view=rev
Log:
[Bitcode] Diagnose errors instead of asserting from bad input

Eventually we can make some of these pass the error along to the caller.

Reports a fatal error if:
We find an invalid abbrev record
We try to get an invalid abbrev number
We can't fill the current word due to an EOF

Fixed an invalid bitcode test to check for output with FileCheck

Bugs found with afl-fuzz

Added:
    llvm/trunk/test/Bitcode/Inputs/invalid-abbrev.bc
    llvm/trunk/test/Bitcode/Inputs/invalid-bad-abbrev-number.bc
    llvm/trunk/test/Bitcode/Inputs/invalid-unexpected-eof.bc
Modified:
    llvm/trunk/include/llvm/Bitcode/BitstreamReader.h
    llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp
    llvm/trunk/test/Bitcode/invalid.test

Modified: llvm/trunk/include/llvm/Bitcode/BitstreamReader.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/Bitcode/BitstreamReader.h?rev=226986&r1=226985&r2=226986&view=diff
==============================================================================
--- llvm/trunk/include/llvm/Bitcode/BitstreamReader.h (original)
+++ llvm/trunk/include/llvm/Bitcode/BitstreamReader.h Fri Jan 23 22:15:05 2015
@@ -315,7 +315,8 @@ public:
   }
 
   void fillCurWord() {
-    assert(Size == 0 || NextChar < (unsigned)Size);
+    if (Size != 0 && NextChar >= (unsigned)Size)
+      report_fatal_error("Unexpected end of file");
 
     // Read the next word from the stream.
     uint8_t Array[sizeof(word_t)] = {0};
@@ -490,11 +491,11 @@ private:
   //===--------------------------------------------------------------------===//
 
 public:
-
   /// Return the abbreviation for the specified AbbrevId.
   const BitCodeAbbrev *getAbbrev(unsigned AbbrevID) {
-    unsigned AbbrevNo = AbbrevID-bitc::FIRST_APPLICATION_ABBREV;
-    assert(AbbrevNo < CurAbbrevs.size() && "Invalid abbrev #!");
+    unsigned AbbrevNo = AbbrevID - bitc::FIRST_APPLICATION_ABBREV;
+    if (AbbrevNo >= CurAbbrevs.size())
+      report_fatal_error("Invalid abbrev number");
     return CurAbbrevs[AbbrevNo].get();
   }
 

Modified: llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp?rev=226986&r1=226985&r2=226986&view=diff
==============================================================================
--- llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp (original)
+++ llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp Fri Jan 23 22:15:05 2015
@@ -170,8 +170,12 @@ unsigned BitstreamCursor::readRecord(uns
   unsigned Code;
   if (CodeOp.isLiteral())
     Code = CodeOp.getLiteralValue();
-  else
+  else {
+    if (CodeOp.getEncoding() == BitCodeAbbrevOp::Array ||
+        CodeOp.getEncoding() == BitCodeAbbrevOp::Blob)
+      report_fatal_error("Abbreviation starts with an Array or a Blob");
     Code = readAbbreviatedField(*this, CodeOp);
+  }
 
   for (unsigned i = 1, e = Abbv->getNumOperandInfos(); i != e; ++i) {
     const BitCodeAbbrevOp &Op = Abbv->getOperandInfo(i);

Added: llvm/trunk/test/Bitcode/Inputs/invalid-abbrev.bc
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/Inputs/invalid-abbrev.bc?rev=226986&view=auto
==============================================================================
Binary files llvm/trunk/test/Bitcode/Inputs/invalid-abbrev.bc (added) and llvm/trunk/test/Bitcode/Inputs/invalid-abbrev.bc Fri Jan 23 22:15:05 2015 differ

Added: llvm/trunk/test/Bitcode/Inputs/invalid-bad-abbrev-number.bc
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/Inputs/invalid-bad-abbrev-number.bc?rev=226986&view=auto
==============================================================================
--- llvm/trunk/test/Bitcode/Inputs/invalid-bad-abbrev-number.bc (added)
+++ llvm/trunk/test/Bitcode/Inputs/invalid-bad-abbrev-number.bc Fri Jan 23 22:15:05 2015
@@ -0,0 +1 @@
+BCÀÞ!0000000000
\ No newline at end of file

Added: llvm/trunk/test/Bitcode/Inputs/invalid-unexpected-eof.bc
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/Inputs/invalid-unexpected-eof.bc?rev=226986&view=auto
==============================================================================
--- llvm/trunk/test/Bitcode/Inputs/invalid-unexpected-eof.bc (added)
+++ llvm/trunk/test/Bitcode/Inputs/invalid-unexpected-eof.bc Fri Jan 23 22:15:05 2015
@@ -0,0 +1 @@
+BCÀÞ!00000000000000000000
\ No newline at end of file

Modified: llvm/trunk/test/Bitcode/invalid.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/invalid.test?rev=226986&r1=226985&r2=226986&view=diff
==============================================================================
--- llvm/trunk/test/Bitcode/invalid.test (original)
+++ llvm/trunk/test/Bitcode/invalid.test Fri Jan 23 22:15:05 2015
@@ -1 +1,13 @@
-RUN: not llvm-dis -disable-output %p/Inputs/invalid-pr20485.bc
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-pr20485.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-ENCODING %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=BAD-ABBREV %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-unexpected-eof.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=UNEXPECTED-EOF %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-bad-abbrev-number.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=BAD-ABBREV-NUMBER %s
+
+INVALID-ENCODING: Invalid encoding
+BAD-ABBREV: Abbreviation starts with an Array or a Blob
+UNEXPECTED-EOF: Unexpected end of file
+BAD-ABBREV-NUMBER: Invalid abbrev number

More information about the llvm-commits mailing list