[llvm] r268881 - [Bitcode] Fix an unsigned integer overflow while parsing bitcode wrapper header

[Bruno Cardoso Lopes via llvm-commits]

Author: bruno
Date: Sun May  8 16:27:39 2016
New Revision: 268881

URL: http://llvm.org/viewvc/llvm-project?rev=268881&view=rev
Log:
[Bitcode] Fix an unsigned integer overflow while parsing bitcode wrapper header

Specially crafted bitcode wrapper headers can cause unsigned interger
overflow and lead to crashes when wrapping around. Fix the offset check
and avoid such scenarios.

Writing a testcase for this would involve editing the binary to generate
values that trigger the overflow, since this would never happen while
generating the bitcode in regular compilation flows, so there's
currently no feasible way add one.

Modified:
    llvm/trunk/include/llvm/Bitcode/ReaderWriter.h

Modified: llvm/trunk/include/llvm/Bitcode/ReaderWriter.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/Bitcode/ReaderWriter.h?rev=268881&r1=268880&r2=268881&view=diff
==============================================================================
--- llvm/trunk/include/llvm/Bitcode/ReaderWriter.h (original)
+++ llvm/trunk/include/llvm/Bitcode/ReaderWriter.h Sun May  8 16:27:39 2016
@@ -162,9 +162,10 @@ namespace llvm {
 
     unsigned Offset = support::endian::read32le(&BufPtr[BWH_OffsetField]);
     unsigned Size = support::endian::read32le(&BufPtr[BWH_SizeField]);
+    uint64_t BitcodeOffsetEnd = (uint64_t)Offset + (uint64_t)Size;
 
     // Verify that Offset+Size fits in the file.
-    if (VerifyBufferSize && Offset+Size > unsigned(BufEnd-BufPtr))
+    if (VerifyBufferSize && BitcodeOffsetEnd > uint64_t(BufEnd-BufPtr))
       return true;
     BufPtr += Offset;
     BufEnd = BufPtr+Size;