[llvm] 4784987 - Fix a 32-bit overflow issue when reading LTO-generated bitcode files whose strtab are of size > 2^29

Jianzhou Zhao via llvm-commits llvm-commits at lists.llvm.org
Tue Aug 25 22:51:22 PDT 2020 

Author: Jianzhou Zhao
Date: 2020-08-26T05:47:22Z
New Revision: 47849870278ce05cde03d41f03fd3a1e65ee22a6

URL: https://github.com/llvm/llvm-project/commit/47849870278ce05cde03d41f03fd3a1e65ee22a6
DIFF: https://github.com/llvm/llvm-project/commit/47849870278ce05cde03d41f03fd3a1e65ee22a6.diff

LOG: Fix a 32-bit overflow issue when reading LTO-generated bitcode files whose strtab are of size > 2^29

This happens when using -flto and -Wl,--plugin-opt=emit-llvm to create a linked LTO bitcode file, and the bitcode file has a strtab with size > 2^29.

All the issues relate to a pattern like this
  size_t x64 = y64 + z32 * C
  When z32 is >= (2^32)/C, z32 * C overflows.

Reviewed-by: MaskRay

Differential Revision: https://reviews.llvm.org/D86500

Added: 
    

Modified: 
    llvm/lib/Bitstream/Reader/BitstreamReader.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/lib/Bitstream/Reader/BitstreamReader.cpp b/llvm/lib/Bitstream/Reader/BitstreamReader.cpp
index 2739137c1e44..2f153f1e7809 100644
--- a/llvm/lib/Bitstream/Reader/BitstreamReader.cpp
+++ b/llvm/lib/Bitstream/Reader/BitstreamReader.cpp
@@ -156,8 +156,9 @@ Expected<unsigned> BitstreamCursor::skipRecord(unsigned AbbrevID) {
         report_fatal_error("Array element type can't be an Array or a Blob");
       case BitCodeAbbrevOp::Fixed:
         assert((unsigned)EltEnc.getEncodingData() <= MaxChunkSize);
-        if (Error Err = JumpToBit(GetCurrentBitNo() +
-                                  NumElts * EltEnc.getEncodingData()))
+        if (Error Err =
+                JumpToBit(GetCurrentBitNo() + static_cast<uint64_t>(NumElts) *
+                                                  EltEnc.getEncodingData()))
           return std::move(Err);
         break;
       case BitCodeAbbrevOp::VBR:
@@ -186,7 +187,8 @@ Expected<unsigned> BitstreamCursor::skipRecord(unsigned AbbrevID) {
     SkipToFourByteBoundary();  // 32-bit alignment
 
     // Figure out where the end of this blob will be including tail padding.
-    size_t NewEnd = GetCurrentBitNo()+((NumElts+3)&~3)*8;
+    const size_t NewEnd =
+        GetCurrentBitNo() + ((static_cast<uint64_t>(NumElts) + 3) & ~3) * 8;
 
     // If this would read off the end of the bitcode file, just set the
     // record to empty and return.
@@ -314,7 +316,8 @@ Expected<unsigned> BitstreamCursor::readRecord(unsigned AbbrevID,
 
     // Figure out where the end of this blob will be including tail padding.
     size_t CurBitPos = GetCurrentBitNo();
-    size_t NewEnd = CurBitPos+((NumElts+3)&~3)*8;
+    const size_t NewEnd =
+        CurBitPos + ((static_cast<uint64_t>(NumElts) + 3) & ~3) * 8;
 
     // If this would read off the end of the bitcode file, just set the
     // record to empty and return.

More information about the llvm-commits mailing list