From bad0779f6310af38570f4fcfc68ea876d5e4dca7 Mon Sep 17 00:00:00 2001
From: Filipe Cabecinhas <me@filcab.net>
Date: Thu, 30 Apr 2015 00:52:42 +0000
Subject: Make sure we don't resize(0) when we get a fwdref with Idx ==
 UINT_MAX

Make it an error instead.

Bug found with AFL fuzz.

llvm-svn: 236190
---
 llvm/lib/Bitcode/Reader/BitcodeReader.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'llvm/lib/Bitcode/Reader/BitcodeReader.cpp')

diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
index f49a538..7778125 100644
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -790,6 +790,10 @@ Constant *BitcodeReaderValueList::getConstantFwdRef(unsigned Idx,
 }
 
 Value *BitcodeReaderValueList::getValueFwdRef(unsigned Idx, Type *Ty) {
+  // Bail out for a clearly invalid value. This would make us call resize(0)
+  if (Idx == UINT_MAX)
+    return nullptr;
+
   if (Idx >= size())
     resize(Idx + 1);
 
-- 
cgit v1.1