[PATCH] D86500: Fix a 32-bit overflow issue when reading LTO-generated bitcode files whose strtab are of size > 2^29

Stephan Z via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon Aug 24 17:47:56 PDT 2020 

stephan.yichao.zhao created this revision.
stephan.yichao.zhao added reviewers: void, MaskRay, bkramer.
Herald added subscribers: llvm-commits, dexonsmith, hiraditya, inglorion.
Herald added a project: LLVM.
stephan.yichao.zhao requested review of this revision.

This happens when using -flto and -Wl,--plugin-opt=emit-llvm to create a linked LTO bitcode file, and the bitcode file has a strtab with size > 2^29.

The code path is GetBitcodeFileContents->readBlobInRecord->readRecord

All the changes relate to a pattern like this

  size_t x64 = y64 + z32 * C

When z32 is >= (2^32)/C, z32 * C overflows.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D86500

Files:
  llvm/lib/Bitstream/Reader/BitstreamReader.cpp


Index: llvm/lib/Bitstream/Reader/BitstreamReader.cpp
===================================================================
--- llvm/lib/Bitstream/Reader/BitstreamReader.cpp
+++ llvm/lib/Bitstream/Reader/BitstreamReader.cpp
@@ -156,8 +156,9 @@
         report_fatal_error("Array element type can't be an Array or a Blob");
       case BitCodeAbbrevOp::Fixed:
         assert((unsigned)EltEnc.getEncodingData() <= MaxChunkSize);
-        if (Error Err = JumpToBit(GetCurrentBitNo() +
-                                  NumElts * EltEnc.getEncodingData()))
+        if (Error Err =
+                JumpToBit(GetCurrentBitNo() + static_cast<uint64_t>(NumElts) *
+                                                  EltEnc.getEncodingData()))
           return std::move(Err);
         break;
       case BitCodeAbbrevOp::VBR:
@@ -186,7 +187,8 @@
     SkipToFourByteBoundary();  // 32-bit alignment
 
     // Figure out where the end of this blob will be including tail padding.
-    size_t NewEnd = GetCurrentBitNo()+((NumElts+3)&~3)*8;
+    size_t NewEnd =
+        GetCurrentBitNo() + ((static_cast<uint64_t>(NumElts) + 3) & ~3) * 8;
 
     // If this would read off the end of the bitcode file, just set the
     // record to empty and return.
@@ -314,7 +316,7 @@
 
     // Figure out where the end of this blob will be including tail padding.
     size_t CurBitPos = GetCurrentBitNo();
-    size_t NewEnd = CurBitPos+((NumElts+3)&~3)*8;
+    size_t NewEnd = CurBitPos + ((static_cast<uint64_t>(NumElts) + 3) & ~3) * 8;
 
     // If this would read off the end of the bitcode file, just set the
     // record to empty and return.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D86500.287534.patch
Type: text/x-patch
Size: 1627 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20200825/782e4df5/attachment.bin>

More information about the llvm-commits mailing list