[PATCH] D95554: [BitcodeReader] Validate Strtab before accessing.
Florian Hahn via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Wed Jan 27 11:57:02 PST 2021
fhahn created this revision.
fhahn added reviewers: arsenm, efriedma, t.p.northover, aprantl.
Herald added a subscriber: hiraditya.
fhahn requested review of this revision.
Herald added a subscriber: wdng.
Herald added a project: LLVM.
This fixes a crash with invalid bitcode files that have records
referencing names in Strtab, but Strtab is not present or the index is
out-of-bounds.
This fixes the following clusterfuzz issue:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29895
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D95554
Files:
llvm/lib/Bitcode/Reader/BitcodeReader.cpp
llvm/test/Bitcode/invalid-record-strtab.ll
llvm/test/Bitcode/invalid-record-strtab.ll.bc
Index: llvm/test/Bitcode/invalid-record-strtab.ll
===================================================================
--- /dev/null
+++ llvm/test/Bitcode/invalid-record-strtab.ll
@@ -0,0 +1,5 @@
+; Bitcode with an invalid record that indexes a name outside of strtab.
+
+; RUN: not llvm-dis %s.bc -o - 2>&1 | FileCheck %s
+
+; CHECK: error: Invalid record
Index: llvm/lib/Bitcode/Reader/BitcodeReader.cpp
===================================================================
--- llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -3374,9 +3374,12 @@
// Record[16] is the address space number.
- // Check whether we have enough values to read a partition name.
- if (Record.size() > 18)
+ // Check whether we have enough values to read a partition name. Also make
+ // Strtab has some data.
+ if (Record.size() > 18 && Strtab.data() &&
+ Record[17] + Record[18] <= Strtab.size()) {
Func->setPartition(StringRef(Strtab.data() + Record[17], Record[18]));
+ }
Type *FullTy = PointerType::get(FullFTy, AddrSpace);
assert(Func->getType() == flattenPointerTypes(FullTy) &&
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D95554.319638.patch
Type: text/x-patch
Size: 1135 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20210127/edc6683a/attachment.bin>
More information about the llvm-commits
mailing list