[Bitcode reader] Fix a few assertions when reading invalid files

Summary: When creating {insert,extract}value instructions from a BitcodeReader, we weren't verifying the fields were valid. Bugs found with afl-fuzz Reviewers: rafael Subscribers: llvm-commits Differential Revision: http://reviews.llvm.org/D7325 llvm-svn: 229345
author: Filipe Cabecinhas <me@filcab.net> 2015-02-16 00:03:11 +0000
committer: Filipe Cabecinhas <me@filcab.net> 2015-02-16 00:03:11 +0000
commit: ecf8f7f49bea56efa30b64dca9a0de936ed6dc53 (patch)
tree: 0f4edff46def28bc1d6bdc5e765eacba31490436 /llvm/lib/Bitcode/Reader/BitcodeReader.cpp
parent: c4d7bc3fccf6cb9f20e29794245a63e9965a4596 (diff)
download: llvm-ecf8f7f49bea56efa30b64dca9a0de936ed6dc53.zip
llvm-ecf8f7f49bea56efa30b64dca9a0de936ed6dc53.tar.gz
llvm-ecf8f7f49bea56efa30b64dca9a0de936ed6dc53.tar.bz2
1 files changed, 32 insertions, 0 deletions
diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
index 92a1dcc..4fe054d 100644
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -3065,12 +3065,27 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) {
         return Error("Invalid record");
 
       SmallVector<unsigned, 4> EXTRACTVALIdx;
+      Type *CurTy = Agg->getType();
       for (unsigned RecSize = Record.size();
            OpNum != RecSize; ++OpNum) {
+        bool IsArray = CurTy->isArrayTy();
+        bool IsStruct = CurTy->isStructTy();
         uint64_t Index = Record[OpNum];
+
+        if (!IsStruct && !IsArray)
+          return Error("EXTRACTVAL: Invalid type");
         if ((unsigned)Index != Index)
           return Error("Invalid value");
+        if (IsStruct && Index >= CurTy->subtypes().size())
+          return Error("EXTRACTVAL: Invalid struct index");
+        if (IsArray && Index >= CurTy->getArrayNumElements())
+          return Error("EXTRACTVAL: Invalid array index");
         EXTRACTVALIdx.push_back((unsigned)Index);
+
+        if (IsStruct)
+          CurTy = CurTy->subtypes()[Index];
+        else
+          CurTy = CurTy->subtypes()[0];
       }
 
       I = ExtractValueInst::Create(Agg, EXTRACTVALIdx);
@@ -3089,12 +3104,29 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) {
         return Error("Invalid record");
 
       SmallVector<unsigned, 4> INSERTVALIdx;
+      Type *CurTy = Agg->getType();
       for (unsigned RecSize = Record.size();
            OpNum != RecSize; ++OpNum) {
+        bool IsArray = CurTy->isArrayTy();
+        bool IsStruct = CurTy->isStructTy();
         uint64_t Index = Record[OpNum];
+
+        if (!IsStruct && !IsArray)
+          return Error("INSERTVAL: Invalid type");
+        if (!CurTy->isStructTy() && !CurTy->isArrayTy())
+          return Error("Invalid type");
         if ((unsigned)Index != Index)
           return Error("Invalid value");
+        if (IsStruct && Index >= CurTy->subtypes().size())
+          return Error("INSERTVAL: Invalid struct index");
+        if (IsArray && Index >= CurTy->getArrayNumElements())
+          return Error("INSERTVAL: Invalid array index");
+
         INSERTVALIdx.push_back((unsigned)Index);
+        if (IsStruct)
+          CurTy = CurTy->subtypes()[Index];
+        else
+          CurTy = CurTy->subtypes()[0];
       }
 
       I = InsertValueInst::Create(Agg, Val, INSERTVALIdx);
author	Filipe Cabecinhas <me@filcab.net>	2015-02-16 00:03:11 +0000
committer	Filipe Cabecinhas <me@filcab.net>	2015-02-16 00:03:11 +0000
commit	ecf8f7f49bea56efa30b64dca9a0de936ed6dc53 (patch)
tree	0f4edff46def28bc1d6bdc5e765eacba31490436 /llvm/lib/Bitcode/Reader/BitcodeReader.cpp
parent	c4d7bc3fccf6cb9f20e29794245a63e9965a4596 (diff)
download	llvm-ecf8f7f49bea56efa30b64dca9a0de936ed6dc53.zip llvm-ecf8f7f49bea56efa30b64dca9a0de936ed6dc53.tar.gz llvm-ecf8f7f49bea56efa30b64dca9a0de936ed6dc53.tar.bz2