diff options
| author | Florian Hahn <flo@fhahn.com> | 2019-07-14 14:06:25 +0000 |
|---|---|---|
| committer | Florian Hahn <flo@fhahn.com> | 2019-07-14 14:06:25 +0000 |
| commit | 19d3fdb08b722a4a66b21b3e08d2008c95f968e8 (patch) | |
| tree | 4efb73ea758e4fb0dacc1632e08db3181ffbf018 /llvm/lib/Bitcode/Reader/BitcodeReader.cpp | |
| parent | 864474c9c72a647e1d9bc7546df86103ce043f4f (diff) | |
| download | llvm-19d3fdb08b722a4a66b21b3e08d2008c95f968e8.zip llvm-19d3fdb08b722a4a66b21b3e08d2008c95f968e8.tar.gz llvm-19d3fdb08b722a4a66b21b3e08d2008c95f968e8.tar.bz2 | |
Recommit "[BitcodeReader] Validate OpNum, before accessing Record array."
This recommits r365750 (git commit 8b222ecf2769ee133691f208f6166ce118c4a164)
Original message:
Currently invalid bitcode files can cause a crash, when OpNum exceeds
the number of elements in Record, like in the attached bitcode file.
The test case was generated by clusterfuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15698
Reviewers: t.p.northover, thegameg, jfb
Reviewed By: jfb
Differential Revision: https://reviews.llvm.org/D64507
llvm-svn: 365750jkkkk
llvm-svn: 366018
Diffstat (limited to 'llvm/lib/Bitcode/Reader/BitcodeReader.cpp')
| -rw-r--r-- | llvm/lib/Bitcode/Reader/BitcodeReader.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp index d07edef..6cad3b9 100644 --- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp +++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp @@ -4171,6 +4171,10 @@ Error BitcodeReader::parseFunctionBody(Function *F) { popValue(Record, OpNum, NextValueNo, LHS->getType(), RHS)) return error("Invalid record"); + if (OpNum >= Record.size()) + return error( + "Invalid record: operand number exceeded available operands"); + unsigned PredVal = Record[OpNum]; bool IsFP = LHS->getType()->isFPOrFPVectorTy(); FastMathFlags FMF; |