[llvm] r271105 - Bounds check the number of bitmap blocks in the name map

David Majnemer via llvm-commits llvm-commits at lists.llvm.org
Fri May 27 22:59:25 PDT 2016 

Author: majnemer
Date: Sat May 28 00:59:25 2016
New Revision: 271105

URL: http://llvm.org/viewvc/llvm-project?rev=271105&view=rev
Log:
Bounds check the number of bitmap blocks in the name map

Modified:
    llvm/trunk/lib/DebugInfo/PDB/Raw/NameMap.cpp

Modified: llvm/trunk/lib/DebugInfo/PDB/Raw/NameMap.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/DebugInfo/PDB/Raw/NameMap.cpp?rev=271105&r1=271104&r2=271105&view=diff
==============================================================================
--- llvm/trunk/lib/DebugInfo/PDB/Raw/NameMap.cpp (original)
+++ llvm/trunk/lib/DebugInfo/PDB/Raw/NameMap.cpp Sat May 28 00:59:25 2016
@@ -50,6 +50,8 @@ Error NameMap::load(codeview::StreamRead
                       make_error<RawError>(raw_error_code::corrupt_file,
                                            "Expected name map max strings"));
 
+  const uint32_t MaxNumberOfWords = UINT32_MAX / sizeof(uint32_t);
+
   // This appears to be a hash table which uses bitfields to determine whether
   // or not a bucket is 'present'.
   uint32_t NumPresentWords;
@@ -58,6 +60,10 @@ Error NameMap::load(codeview::StreamRead
                       make_error<RawError>(raw_error_code::corrupt_file,
                                            "Expected name map num words"));
 
+  if (NumPresentWords > MaxNumberOfWords)
+    return make_error<RawError>(raw_error_code::corrupt_file,
+                                "Number of present words is too large");
+
   // Store all the 'present' bits in a vector for later processing.
   SmallVector<uint32_t, 1> PresentWords;
   for (uint32_t I = 0; I != NumPresentWords; ++I) {
@@ -79,6 +85,10 @@ Error NameMap::load(codeview::StreamRead
         make_error<RawError>(raw_error_code::corrupt_file,
                              "Expected name map num deleted words"));
 
+  if (NumDeletedWords > MaxNumberOfWords)
+    return make_error<RawError>(raw_error_code::corrupt_file,
+                                "Number of deleted words is too large");
+
   // Store all the 'deleted' bits in a vector for later processing.
   SmallVector<uint32_t, 1> DeletedWords;
   for (uint32_t I = 0; I != NumDeletedWords; ++I) {

More information about the llvm-commits mailing list