Be more strict about the operand for the array type in BitcodeReader

Summary: Bug found with AFL fuzz. Reviewers: rafael Subscribers: llvm-commits Differential Revision: http://reviews.llvm.org/D9016 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@235596 91177308-0d34-0410-b5e6-96231b3b80d8
2025-01-26 20:57:15 +00:00 · 2015-04-23 13:38:21 +00:00 · 2015-04-23 13:38:21 +00:00 · 0236022390
commit 0236022390
parent 81f9bd3e19
3 changed files with 8 additions and 0 deletions
--- a/lib/Bitcode/Reader/BitstreamReader.cpp
+++ b/lib/Bitcode/Reader/BitstreamReader.cpp
@ -201,6 +201,9 @@ unsigned BitstreamCursor::readRecord(unsigned AbbrevID,
      // Get the element encoding.
      assert(i+2 == e && "array op not second to last?");
      const BitCodeAbbrevOp &EltEnc = Abbv->getOperandInfo(++i);
+      if (EltEnc.getEncoding() == BitCodeAbbrevOp::Array ||
+          EltEnc.getEncoding() == BitCodeAbbrevOp::Blob)
+        report_fatal_error("Array element type can't be an Array or a Blob");

      // Read all the elements.
      for (; NumElts; --NumElts)
--- a/test/Bitcode/Inputs/invalid-array-type.bc
+++ b/test/Bitcode/Inputs/invalid-array-type.bc
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@ -73,3 +73,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-fixed-size-too-big.bc
 RUN:   FileCheck --check-prefix=HUGE-ABBREV-OP %s

 HUGE-ABBREV-OP: Fixed or VBR abbrev record with size > MaxChunkData
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-type.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=ARRAY-TYPE %s
+
+ARRAY-TYPE: Array element type can't be an Array or a Blob