Bounds check the number of bitmap blocks in the name map

llvm-svn: 271105

1 files changed, 10 insertions, 0 deletions

diff --git a/llvm/lib/DebugInfo/PDB/Raw/NameMap.cpp b/llvm/lib/DebugInfo/PDB/Raw/NameMap.cpp
index e1a248a..ad60a44 100644
--- a/llvm/lib/DebugInfo/PDB/Raw/NameMap.cpp
+++ b/llvm/lib/DebugInfo/PDB/Raw/NameMap.cpp
@@ -50,6 +50,8 @@ Error NameMap::load(codeview::StreamReader &Stream) {
                       make_error<RawError>(raw_error_code::corrupt_file,
                                            "Expected name map max strings"));
 
+  const uint32_t MaxNumberOfWords = UINT32_MAX / sizeof(uint32_t);
+
   // This appears to be a hash table which uses bitfields to determine whether
   // or not a bucket is 'present'.
   uint32_t NumPresentWords;
@@ -58,6 +60,10 @@ Error NameMap::load(codeview::StreamReader &Stream) {
                       make_error<RawError>(raw_error_code::corrupt_file,
                                            "Expected name map num words"));
 
+  if (NumPresentWords > MaxNumberOfWords)
+    return make_error<RawError>(raw_error_code::corrupt_file,
+                                "Number of present words is too large");
+
   // Store all the 'present' bits in a vector for later processing.
   SmallVector<uint32_t, 1> PresentWords;
   for (uint32_t I = 0; I != NumPresentWords; ++I) {
@@ -79,6 +85,10 @@ Error NameMap::load(codeview::StreamReader &Stream) {
         make_error<RawError>(raw_error_code::corrupt_file,
                              "Expected name map num deleted words"));
 
+  if (NumDeletedWords > MaxNumberOfWords)
+    return make_error<RawError>(raw_error_code::corrupt_file,
+                                "Number of deleted words is too large");
+
   // Store all the 'deleted' bits in a vector for later processing.
   SmallVector<uint32_t, 1> DeletedWords;
   for (uint32_t I = 0; I != NumDeletedWords; ++I) {