From 1c74d4768af8a17e46768662d5551a7553a49747 Mon Sep 17 00:00:00 2001 From: Filipe Cabecinhas Date: Tue, 26 May 2015 23:00:56 +0000 Subject: [PATCH] [BitcodeReader] Sanity check on Comdat ID Shouldn't be an assert, since user input can trigger it. Bug found with AFL fuzz. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@238261 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Bitcode/Reader/BitcodeReader.cpp | 6 ++++-- test/Bitcode/Inputs/invalid-function-comdat-id.bc | Bin 0 -> 489 bytes .../Inputs/invalid-global-var-comdat-id.bc | Bin 0 -> 488 bytes test/Bitcode/invalid.test | 10 ++++++++++ 4 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 test/Bitcode/Inputs/invalid-function-comdat-id.bc create mode 100644 test/Bitcode/Inputs/invalid-global-var-comdat-id.bc diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp index 6eef594eaf1..3f21bb9fbac 100644 --- a/lib/Bitcode/Reader/BitcodeReader.cpp +++ b/lib/Bitcode/Reader/BitcodeReader.cpp @@ -2956,7 +2956,8 @@ std::error_code BitcodeReader::ParseModule(bool Resume, if (Record.size() > 11) { if (unsigned ComdatID = Record[11]) { - assert(ComdatID <= ComdatList.size()); + if (ComdatID > ComdatList.size()) + return Error("Invalid global variable comdat ID"); NewGV->setComdat(ComdatList[ComdatID - 1]); } } else if (hasImplicitComdat(RawLinkage)) { @@ -3020,7 +3021,8 @@ std::error_code BitcodeReader::ParseModule(bool Resume, if (Record.size() > 12) { if (unsigned ComdatID = Record[12]) { - assert(ComdatID <= ComdatList.size()); + if (ComdatID > ComdatList.size()) + return Error("Invalid function comdat ID"); Func->setComdat(ComdatList[ComdatID - 1]); } } else if (hasImplicitComdat(RawLinkage)) { diff --git a/test/Bitcode/Inputs/invalid-function-comdat-id.bc b/test/Bitcode/Inputs/invalid-function-comdat-id.bc new file mode 100644 index 0000000000000000000000000000000000000000..d0ad8234bc869b0992c925e4db2442724f66bf30 GIT binary patch literal 489 zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJBZz$2+xq{4oJLojK@f)x(OJ}?5!=~Q4~;0Mx1 zN*tUDDXlERN=sUR#N(EQ6GVi3I(oQUT6_cylo^UyJcL|?PRKAyoMDh?JjD{mF~RbX z(t!ye_c*U(0g^x}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0 zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k zM3m1bJIT snZd-EVKRmY1H)#)W)N`*7$SV2paD4^;Q&#fbyw4X)}=tK14;q`0L*u0-~a#s literal 0 HcmV?d00001 diff --git a/test/Bitcode/Inputs/invalid-global-var-comdat-id.bc b/test/Bitcode/Inputs/invalid-global-var-comdat-id.bc new file mode 100644 index 0000000000000000000000000000000000000000..93d6ba2169b4b5f53aa6388ae42e9467c000927b GIT binary patch literal 488 zcmZ>AK5$Qwhk>D-fq{X$Nr8b0NDBiod!zD1#}h1`Yyw7>lNeigR9QJB*g6#$ z7`T9D0+n(oq_naKD=ujP5|3LJP7o3DY3bo^aq$u0DP~D<;9&tOV@PgO*uXxQo$17c zi9!ko_}B!%q6`fN+$;>NAamqqa7YUJOz7cMb3ex7oCK1tlwe?R0@B7D4Kha_%A|=f z+IBcwv>fhnYGALdU@x9g$n%VW|E&Pumj*s#9w)g&2W8JKlu0vS1uJWoKErH#!r8Wm z+4f9DPe}oLH3xg8M|(j5dsP8*Sw(w+Lc8P{LB2N=_#PVY=Na%n{=oMkfX`Uqi0nN@ znH!3-hZ5z|3_7j%G+SSAw%o#Ov!~gnh1vSd2a&P__Ua6F^NjW)AlcAfFrmF5fxS$F zz3c}o(Ae^Z_IQr=LW%aG8SRxb8g<@%;CuIg@9P1+HwMf}Cl<;)StxS`Ox{V9Ii)Cb zq*3-%BHOhI&Xy;fEoXqq9fvKZI9qfuTTeNx547}8ll2v5>kZ5d4222|42;0=U=s)d Hk_-$0#7meJ literal 0 HcmV?d00001 diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test index f609d043df4..bd6e265cbb3 100644 --- a/test/Bitcode/invalid.test +++ b/test/Bitcode/invalid.test @@ -162,3 +162,13 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-fixme-streaming-blob.bc 2>&1 RUN: FileCheck --check-prefix=STREAMING-BLOB %s STREAMING-BLOB: getPointer in streaming memory objects not allowed + +RUN: not llvm-dis -disable-output %p/Inputs/invalid-function-comdat-id.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-FCOMDAT-ID %s + +INVALID-FCOMDAT-ID: Invalid function comdat ID + +RUN: not llvm-dis -disable-output %p/Inputs/invalid-global-var-comdat-id.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-GVCOMDAT-ID %s + +INVALID-GVCOMDAT-ID: Invalid global variable comdat ID