[llvm] r366018 - Recommit "[BitcodeReader] Validate OpNum, before accessing Record array."

Florian Hahn via llvm-commits llvm-commits at lists.llvm.org
Sun Jul 14 07:06:26 PDT 2019 

Author: fhahn
Date: Sun Jul 14 07:06:25 2019
New Revision: 366018

URL: http://llvm.org/viewvc/llvm-project?rev=366018&view=rev
Log:
Recommit "[BitcodeReader] Validate OpNum, before accessing Record array."

This recommits r365750 (git commit 8b222ecf2769ee133691f208f6166ce118c4a164)

Original message:

   Currently invalid bitcode files can cause a crash, when OpNum exceeds
   the number of elements in Record, like in the attached bitcode file.

   The test case was generated by clusterfuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15698

   Reviewers: t.p.northover, thegameg, jfb

   Reviewed By: jfb

   Differential Revision: https://reviews.llvm.org/D64507

   llvm-svn: 365750jkkkk

Added:
    llvm/trunk/test/Bitcode/Inputs/invalid-fcmp-opnum.bc   (with props)
Modified:
    llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp
    llvm/trunk/test/Bitcode/invalid.test

Modified: llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp?rev=366018&r1=366017&r2=366018&view=diff
==============================================================================
--- llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp (original)
+++ llvm/trunk/lib/Bitcode/Reader/BitcodeReader.cpp Sun Jul 14 07:06:25 2019
@@ -4171,6 +4171,10 @@ Error BitcodeReader::parseFunctionBody(F
           popValue(Record, OpNum, NextValueNo, LHS->getType(), RHS))
         return error("Invalid record");
 
+      if (OpNum >= Record.size())
+        return error(
+            "Invalid record: operand number exceeded available operands");
+
       unsigned PredVal = Record[OpNum];
       bool IsFP = LHS->getType()->isFPOrFPVectorTy();
       FastMathFlags FMF;

Added: llvm/trunk/test/Bitcode/Inputs/invalid-fcmp-opnum.bc
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/Inputs/invalid-fcmp-opnum.bc?rev=366018&view=auto
==============================================================================
Binary file - no diff available.

Propchange: llvm/trunk/test/Bitcode/Inputs/invalid-fcmp-opnum.bc
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Modified: llvm/trunk/test/Bitcode/invalid.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/invalid.test?rev=366018&r1=366017&r2=366018&view=diff
==============================================================================
--- llvm/trunk/test/Bitcode/invalid.test (original)
+++ llvm/trunk/test/Bitcode/invalid.test Sun Jul 14 07:06:25 2019
@@ -235,3 +235,8 @@ RUN: not llvm-dis -disable-output %p/Inp
 RUN:   FileCheck --check-prefix=NONPOINTER-ATOMICRMW %s
 
 NONPOINTER-ATOMICRMW: Invalid record
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-fcmp-opnum.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-FCMP-OPNUM %s
+
+INVALID-FCMP-OPNUM: Invalid record: operand number exceeded available operands

More information about the llvm-commits mailing list