[PATCH] Verify sizes when trying to read a BitcodeAbbrevOp

Filipe Cabecinhas filcab+llvm.phabricator at gmail.com
Wed Apr 15 10:10:40 PDT 2015 

Hi rafael,

Make sure we don't try to read more than we can when reading abbrev
operands.

Bug found with AFL fuzz.

http://reviews.llvm.org/D9030

Files:
  include/llvm/Bitcode/BitstreamReader.h
  lib/Bitcode/Reader/BitstreamReader.cpp
  test/Bitcode/Inputs/invalid-VBR-too-big.bc
  test/Bitcode/invalid.test

Index: include/llvm/Bitcode/BitstreamReader.h
===================================================================
--- include/llvm/Bitcode/BitstreamReader.h
+++ include/llvm/Bitcode/BitstreamReader.h
@@ -212,6 +212,8 @@
     CurCodeSize = 2;
   }
 
+  size_t MaxChunkSize() { return sizeof(word_t) * 8; }
+
   void freeState();
 
   bool canSkipToPos(size_t pos) const {
@@ -335,7 +337,7 @@
   }
 
   word_t Read(unsigned NumBits) {
-    static const unsigned BitsInWord = sizeof(word_t) * 8;
+    static const unsigned BitsInWord = MaxChunkSize();
 
     assert(NumBits && NumBits <= BitsInWord &&
            "Cannot return zero or more than BitsInWord bits!");
Index: lib/Bitcode/Reader/BitstreamReader.cpp
===================================================================
--- lib/Bitcode/Reader/BitstreamReader.cpp
+++ lib/Bitcode/Reader/BitstreamReader.cpp
@@ -60,8 +60,12 @@
   case BitCodeAbbrevOp::Blob:
     llvm_unreachable("Should not reach here");
   case BitCodeAbbrevOp::Fixed:
+    if ((unsigned)Op.getEncodingData() > Cursor.MaxChunkSize())
+      report_fatal_error("Invalid record");
     return Cursor.Read((unsigned)Op.getEncodingData());
   case BitCodeAbbrevOp::VBR:
+    if ((unsigned)Op.getEncodingData() > Cursor.MaxChunkSize())
+      report_fatal_error("Invalid record");
     return Cursor.ReadVBR64((unsigned)Op.getEncodingData());
   case BitCodeAbbrevOp::Char6:
     return BitCodeAbbrevOp::DecodeChar6(Cursor.Read(6));
@@ -79,9 +83,13 @@
   case BitCodeAbbrevOp::Blob:
     llvm_unreachable("Should not reach here");
   case BitCodeAbbrevOp::Fixed:
+    if ((unsigned)Op.getEncodingData() > Cursor.MaxChunkSize())
+      report_fatal_error("Invalid record");
     Cursor.Read((unsigned)Op.getEncodingData());
     break;
   case BitCodeAbbrevOp::VBR:
+    if ((unsigned)Op.getEncodingData() > Cursor.MaxChunkSize())
+      report_fatal_error("Invalid record");
     Cursor.ReadVBR64((unsigned)Op.getEncodingData());
     break;
   case BitCodeAbbrevOp::Char6:
Index: test/Bitcode/invalid.test
===================================================================
--- test/Bitcode/invalid.test
+++ test/Bitcode/invalid.test
@@ -55,3 +55,8 @@
 RUN:   FileCheck --check-prefix=NO-MODULE %s
 
 NO-MODULE: Malformed IR file
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-VBR-too-big.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=HUGE-VBR %s
+
+HUGE-VBR: Invalid record

EMAIL PREFERENCES
  http://reviews.llvm.org/settings/panel/emailpreferences/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D9030.23782.patch
Type: text/x-patch
Size: 2403 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20150415/2b01ac01/attachment.bin>

More information about the llvm-commits mailing list