6502/llvm-6502
1
0
Fork 0
mirror of https://github.com/c64scene-ar/llvm-6502.git synced 2025-10-03 12:18:00 +00:00
Code Issues Projects Releases Wiki Activity

Verify sizes when trying to read a BitcodeAbbrevOp

Browse Source 
Summary:
Make sure the abbrev operands are valid and that we can read/skip them
afterwards.

Bug found with AFL fuzz.

Reviewers: rafael

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D9030

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@235595 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Filipe Cabecinhas
2015-04-23 13:25:35 +00:00
parent 77aa4a8c4d
commit 81f9bd3e19
5 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/llvm/Bitcode/BitstreamReader.h
View File

@@ -198,6 +198,8 @@ class BitstreamCursor {
public: public:
static const size_t MaxChunkSize = sizeof(word_t) * 8;
BitstreamCursor() { init(nullptr); } BitstreamCursor() { init(nullptr); }
explicit BitstreamCursor(BitstreamReader &R) { init(&R); } explicit BitstreamCursor(BitstreamReader &R) { init(&R); }
@@ -335,7 +337,7 @@ public:
} }
word_t Read(unsigned NumBits) { word_t Read(unsigned NumBits) {
static const unsigned BitsInWord = sizeof(word_t) * 8; static const unsigned BitsInWord = MaxChunkSize;
assert(NumBits && NumBits <= BitsInWord && assert(NumBits && NumBits <= BitsInWord &&
"Cannot return zero or more than BitsInWord bits!"); "Cannot return zero or more than BitsInWord bits!");

9
lib/Bitcode/Reader/BitstreamReader.cpp
View File

@@ -60,8 +60,10 @@ static uint64_t readAbbreviatedField(BitstreamCursor &Cursor,
case BitCodeAbbrevOp::Blob: case BitCodeAbbrevOp::Blob:
llvm_unreachable("Should not reach here"); llvm_unreachable("Should not reach here");
case BitCodeAbbrevOp::Fixed: case BitCodeAbbrevOp::Fixed:
assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
return Cursor.Read((unsigned)Op.getEncodingData()); return Cursor.Read((unsigned)Op.getEncodingData());
case BitCodeAbbrevOp::VBR: case BitCodeAbbrevOp::VBR:
assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
return Cursor.ReadVBR64((unsigned)Op.getEncodingData()); return Cursor.ReadVBR64((unsigned)Op.getEncodingData());
case BitCodeAbbrevOp::Char6: case BitCodeAbbrevOp::Char6:
return BitCodeAbbrevOp::DecodeChar6(Cursor.Read(6)); return BitCodeAbbrevOp::DecodeChar6(Cursor.Read(6));
@@ -79,9 +81,11 @@ static void skipAbbreviatedField(BitstreamCursor &Cursor,
case BitCodeAbbrevOp::Blob: case BitCodeAbbrevOp::Blob:
llvm_unreachable("Should not reach here"); llvm_unreachable("Should not reach here");
case BitCodeAbbrevOp::Fixed: case BitCodeAbbrevOp::Fixed:
assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
Cursor.Read((unsigned)Op.getEncodingData()); Cursor.Read((unsigned)Op.getEncodingData());
break; break;
case BitCodeAbbrevOp::VBR: case BitCodeAbbrevOp::VBR:
assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
Cursor.ReadVBR64((unsigned)Op.getEncodingData()); Cursor.ReadVBR64((unsigned)Op.getEncodingData());
break; break;
case BitCodeAbbrevOp::Char6: case BitCodeAbbrevOp::Char6:
@@ -264,6 +268,11 @@ void BitstreamCursor::ReadAbbrevRecord() {
continue; continue;
} }
if ((E == BitCodeAbbrevOp::Fixed || E == BitCodeAbbrevOp::VBR) &&
Data > MaxChunkSize)
report_fatal_error(
"Fixed or VBR abbrev record with size > MaxChunkData");
Abbv->Add(BitCodeAbbrevOp(E, Data)); Abbv->Add(BitCodeAbbrevOp(E, Data));
} else } else
Abbv->Add(BitCodeAbbrevOp(E)); Abbv->Add(BitCodeAbbrevOp(E));

BIN
test/Bitcode/Inputs/invalid-abbrev-fixed-size-too-big.bc Normal file
View File

Binary file not shown.

BIN
test/Bitcode/Inputs/invalid-abbrev-vbr-size-too-big.bc Normal file
View File

Binary file not shown.

7
test/Bitcode/invalid.test
View File

@@ -66,3 +66,10 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-fp-shift.bc 2>&1 | \
RUN: FileCheck --check-prefix=FP-SHIFT %s RUN: FileCheck --check-prefix=FP-SHIFT %s
FP-SHIFT: Invalid record FP-SHIFT: Invalid record
RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-vbr-size-too-big.bc 2>&1 | \
RUN: FileCheck --check-prefix=HUGE-ABBREV-OP %s
RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-fixed-size-too-big.bc 2>&1 | \
RUN: FileCheck --check-prefix=HUGE-ABBREV-OP %s
HUGE-ABBREV-OP: Fixed or VBR abbrev record with size > MaxChunkData