Make sure we don't resize(0) when we get a fwdref with Idx == UINT_MAX

Make it an error instead. Bug found with AFL fuzz. llvm-svn: 236190
2024-11-29 22:30:33 +00:00 · 2015-04-30 00:52:42 +00:00 · 2015-04-30 00:52:42 +00:00 · c8f68a05d1
commit c8f68a05d1
parent f4d8e72cec
3 changed files with 9 additions and 0 deletions
--- a/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/lib/Bitcode/Reader/BitcodeReader.cpp
@ -790,6 +790,10 @@ Constant *BitcodeReaderValueList::getConstantFwdRef(unsigned Idx,
 }

 Value *BitcodeReaderValueList::getValueFwdRef(unsigned Idx, Type *Ty) {
+  // Bail out for a clearly invalid value. This would make us call resize(0)
+  if (Idx == UINT_MAX)
+    return nullptr;
+
  if (Idx >= size())
    resize(Idx + 1);

--- a/test/Bitcode/Inputs/invalid-too-big-fwdref.bc
+++ b/test/Bitcode/Inputs/invalid-too-big-fwdref.bc
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@ -112,3 +112,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-op-not-2nd-to-last.bc
 RUN:   FileCheck --check-prefix=ARRAY-NOT-2LAST %s

 ARRAY-NOT-2LAST: Array op not second to last
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-too-big-fwdref.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=HUGE-FWDREF %s
+
+HUGE-FWDREF: Invalid record