From 19d3fdb08b722a4a66b21b3e08d2008c95f968e8 Mon Sep 17 00:00:00 2001
From: Florian Hahn <flo@fhahn.com>
Date: Sun, 14 Jul 2019 14:06:25 +0000
Subject: Recommit "[BitcodeReader] Validate OpNum, before accessing Record
 array."

This recommits r365750 (git commit 8b222ecf2769ee133691f208f6166ce118c4a164)

Original message:

   Currently invalid bitcode files can cause a crash, when OpNum exceeds
   the number of elements in Record, like in the attached bitcode file.

   The test case was generated by clusterfuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15698

   Reviewers: t.p.northover, thegameg, jfb

   Reviewed By: jfb

   Differential Revision: https://reviews.llvm.org/D64507

   llvm-svn: 365750jkkkk

llvm-svn: 366018
---
 llvm/lib/Bitcode/Reader/BitcodeReader.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'llvm/lib/Bitcode/Reader/BitcodeReader.cpp')

diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
index d07edef..6cad3b9 100644
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -4171,6 +4171,10 @@ Error BitcodeReader::parseFunctionBody(Function *F) {
           popValue(Record, OpNum, NextValueNo, LHS->getType(), RHS))
         return error("Invalid record");
 
+      if (OpNum >= Record.size())
+        return error(
+            "Invalid record: operand number exceeded available operands");
+
       unsigned PredVal = Record[OpNum];
       bool IsFP = LHS->getType()->isFPOrFPVectorTy();
       FastMathFlags FMF;
-- 
cgit v1.1