[PATCH] Verify sizes when trying to read a BitcodeAbbrevOp
Filipe Cabecinhas
filcab+llvm.phabricator at gmail.com
Thu Apr 23 03:23:42 PDT 2015
Changed MaxChunkSize to be a constant.
Made the check earlier, when abbrevs are read, and added asserts to
read/skipAbbreviatedField.
Replaced the test with two tests, one for Fixed field, and one for a VBR
field.
http://reviews.llvm.org/D9030
Files:
include/llvm/Bitcode/BitstreamReader.h
lib/Bitcode/Reader/BitstreamReader.cpp
test/Bitcode/Inputs/invalid-abbrev-fixed-size-too-big.bc
test/Bitcode/Inputs/invalid-abbrev-vbr-size-too-big.bc
test/Bitcode/invalid.test
Index: include/llvm/Bitcode/BitstreamReader.h
===================================================================
--- include/llvm/Bitcode/BitstreamReader.h
+++ include/llvm/Bitcode/BitstreamReader.h
@@ -198,6 +198,8 @@
public:
+ static const size_t MaxChunkSize = sizeof(word_t) * 8;
+
BitstreamCursor() { init(nullptr); }
explicit BitstreamCursor(BitstreamReader &R) { init(&R); }
@@ -335,7 +337,7 @@
}
word_t Read(unsigned NumBits) {
- static const unsigned BitsInWord = sizeof(word_t) * 8;
+ static const unsigned BitsInWord = MaxChunkSize;
assert(NumBits && NumBits <= BitsInWord &&
"Cannot return zero or more than BitsInWord bits!");
Index: lib/Bitcode/Reader/BitstreamReader.cpp
===================================================================
--- lib/Bitcode/Reader/BitstreamReader.cpp
+++ lib/Bitcode/Reader/BitstreamReader.cpp
@@ -60,8 +60,10 @@
case BitCodeAbbrevOp::Blob:
llvm_unreachable("Should not reach here");
case BitCodeAbbrevOp::Fixed:
+ assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
return Cursor.Read((unsigned)Op.getEncodingData());
case BitCodeAbbrevOp::VBR:
+ assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
return Cursor.ReadVBR64((unsigned)Op.getEncodingData());
case BitCodeAbbrevOp::Char6:
return BitCodeAbbrevOp::DecodeChar6(Cursor.Read(6));
@@ -79,9 +81,11 @@
case BitCodeAbbrevOp::Blob:
llvm_unreachable("Should not reach here");
case BitCodeAbbrevOp::Fixed:
+ assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
Cursor.Read((unsigned)Op.getEncodingData());
break;
case BitCodeAbbrevOp::VBR:
+ assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
Cursor.ReadVBR64((unsigned)Op.getEncodingData());
break;
case BitCodeAbbrevOp::Char6:
@@ -264,6 +268,11 @@
continue;
}
+ if ((E == BitCodeAbbrevOp::Fixed || E == BitCodeAbbrevOp::VBR) &&
+ Data > MaxChunkSize)
+ report_fatal_error(
+ "Fixed or VBR abbrev record with size > MaxChunkData");
+
Abbv->Add(BitCodeAbbrevOp(E, Data));
} else
Abbv->Add(BitCodeAbbrevOp(E));
Index: test/Bitcode/invalid.test
===================================================================
--- test/Bitcode/invalid.test
+++ test/Bitcode/invalid.test
@@ -66,3 +66,10 @@
RUN: FileCheck --check-prefix=FP-SHIFT %s
FP-SHIFT: Invalid record
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-vbr-size-too-big.bc 2>&1 | \
+RUN: FileCheck --check-prefix=HUGE-ABBREV-OP %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-fixed-size-too-big.bc 2>&1 | \
+RUN: FileCheck --check-prefix=HUGE-ABBREV-OP %s
+
+HUGE-ABBREV-OP: Fixed or VBR abbrev record with size > MaxChunkData
EMAIL PREFERENCES
http://reviews.llvm.org/settings/panel/emailpreferences/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D9030.24280.patch
Type: text/x-patch
Size: 2808 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20150423/4bc01155/attachment.bin>
More information about the llvm-commits
mailing list