[llvm] r235595 - Verify sizes when trying to read a BitcodeAbbrevOp

Filipe Cabecinhas me at filcab.net
Thu Apr 23 06:25:35 PDT 2015 

Author: filcab
Date: Thu Apr 23 08:25:35 2015
New Revision: 235595

URL: http://llvm.org/viewvc/llvm-project?rev=235595&view=rev
Log:
Verify sizes when trying to read a BitcodeAbbrevOp

Summary:
Make sure the abbrev operands are valid and that we can read/skip them
afterwards.

Bug found with AFL fuzz.

Reviewers: rafael

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D9030

Added:
    llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-fixed-size-too-big.bc
    llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-vbr-size-too-big.bc
Modified:
    llvm/trunk/include/llvm/Bitcode/BitstreamReader.h
    llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp
    llvm/trunk/test/Bitcode/invalid.test

Modified: llvm/trunk/include/llvm/Bitcode/BitstreamReader.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/Bitcode/BitstreamReader.h?rev=235595&r1=235594&r2=235595&view=diff
==============================================================================
--- llvm/trunk/include/llvm/Bitcode/BitstreamReader.h (original)
+++ llvm/trunk/include/llvm/Bitcode/BitstreamReader.h Thu Apr 23 08:25:35 2015
@@ -198,6 +198,8 @@ class BitstreamCursor {
 
 
 public:
+  static const size_t MaxChunkSize = sizeof(word_t) * 8;
+
   BitstreamCursor() { init(nullptr); }
 
   explicit BitstreamCursor(BitstreamReader &R) { init(&R); }
@@ -335,7 +337,7 @@ public:
   }
 
   word_t Read(unsigned NumBits) {
-    static const unsigned BitsInWord = sizeof(word_t) * 8;
+    static const unsigned BitsInWord = MaxChunkSize;
 
     assert(NumBits && NumBits <= BitsInWord &&
            "Cannot return zero or more than BitsInWord bits!");

Modified: llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp?rev=235595&r1=235594&r2=235595&view=diff
==============================================================================
--- llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp (original)
+++ llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp Thu Apr 23 08:25:35 2015
@@ -60,8 +60,10 @@ static uint64_t readAbbreviatedField(Bit
   case BitCodeAbbrevOp::Blob:
     llvm_unreachable("Should not reach here");
   case BitCodeAbbrevOp::Fixed:
+    assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
     return Cursor.Read((unsigned)Op.getEncodingData());
   case BitCodeAbbrevOp::VBR:
+    assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
     return Cursor.ReadVBR64((unsigned)Op.getEncodingData());
   case BitCodeAbbrevOp::Char6:
     return BitCodeAbbrevOp::DecodeChar6(Cursor.Read(6));
@@ -79,9 +81,11 @@ static void skipAbbreviatedField(Bitstre
   case BitCodeAbbrevOp::Blob:
     llvm_unreachable("Should not reach here");
   case BitCodeAbbrevOp::Fixed:
+    assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
     Cursor.Read((unsigned)Op.getEncodingData());
     break;
   case BitCodeAbbrevOp::VBR:
+    assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
     Cursor.ReadVBR64((unsigned)Op.getEncodingData());
     break;
   case BitCodeAbbrevOp::Char6:
@@ -264,6 +268,11 @@ void BitstreamCursor::ReadAbbrevRecord()
         continue;
       }
 
+      if ((E == BitCodeAbbrevOp::Fixed || E == BitCodeAbbrevOp::VBR) &&
+          Data > MaxChunkSize)
+        report_fatal_error(
+            "Fixed or VBR abbrev record with size > MaxChunkData");
+
       Abbv->Add(BitCodeAbbrevOp(E, Data));
     } else
       Abbv->Add(BitCodeAbbrevOp(E));

Added: llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-fixed-size-too-big.bc
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-fixed-size-too-big.bc?rev=235595&view=auto
==============================================================================
Binary files llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-fixed-size-too-big.bc (added) and llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-fixed-size-too-big.bc Thu Apr 23 08:25:35 2015 differ

Added: llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-vbr-size-too-big.bc
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-vbr-size-too-big.bc?rev=235595&view=auto
==============================================================================
Binary files llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-vbr-size-too-big.bc (added) and llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-vbr-size-too-big.bc Thu Apr 23 08:25:35 2015 differ

Modified: llvm/trunk/test/Bitcode/invalid.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Bitcode/invalid.test?rev=235595&r1=235594&r2=235595&view=diff
==============================================================================
--- llvm/trunk/test/Bitcode/invalid.test (original)
+++ llvm/trunk/test/Bitcode/invalid.test Thu Apr 23 08:25:35 2015
@@ -66,3 +66,10 @@ RUN: not llvm-dis -disable-output %p/Inp
 RUN:   FileCheck --check-prefix=FP-SHIFT %s
 
 FP-SHIFT: Invalid record
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-vbr-size-too-big.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=HUGE-ABBREV-OP %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-fixed-size-too-big.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=HUGE-ABBREV-OP %s
+
+HUGE-ABBREV-OP: Fixed or VBR abbrev record with size > MaxChunkData

More information about the llvm-commits mailing list