[BitcodeReader] It's a malformed block if CodeLenWidth is too big

Bug found with AFL fuzz. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237646 91177308-0d34-0410-b5e6-96231b3b80d8
2024-11-02 07:11:49 +00:00 · 2015-05-19 00:34:17 +00:00 · 2015-05-19 00:34:17 +00:00 · c3ccd67d72
commit c3ccd67d72
parent 09f87b4a7b
3 changed files with 9 additions and 0 deletions
--- a/lib/Bitcode/Reader/BitstreamReader.cpp
+++ b/lib/Bitcode/Reader/BitstreamReader.cpp
@ -39,6 +39,10 @@ bool BitstreamCursor::EnterSubBlock(unsigned BlockID, unsigned *NumWordsP) {

  // Get the codesize of this block.
  CurCodeSize = ReadVBR(bitc::CodeLenWidth);
+  // We can't read more than MaxChunkSize at a time
+  if (CurCodeSize > MaxChunkSize)
+    return true;
+
  SkipToFourByteBoundary();
  unsigned NumWords = Read(bitc::BlockSizeWidth);
  if (NumWordsP) *NumWordsP = NumWords;
--- a/test/Bitcode/Inputs/invalid-code-len-width.bc
+++ b/test/Bitcode/Inputs/invalid-code-len-width.bc
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@ -147,3 +147,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-inserted-value-type-mismatch
 RUN:   FileCheck --check-prefix=INSERT-TYPE-MISMATCH %s

 INSERT-TYPE-MISMATCH: Inserted value type doesn't match aggregate type
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-code-len-width.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-CODELENWIDTH %s
+
+INVALID-CODELENWIDTH: Malformed block