From 34cccdaed7e7952a9191231ffa62b1b22eac35c8 Mon Sep 17 00:00:00 2001 From: Florian Hahn Date: Tue, 22 Jun 2021 14:48:45 +0100 Subject: [PATCH] [BitcodeReader] Validate Strtab before accessing. This fixes a crash with invalid bitcode files that have records referencing names in Strtab, but Strtab is not present or the index is out-of-bounds. This fixes the following clusterfuzz issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29895 Reviewed By: arsenm Differential Revision: https://reviews.llvm.org/D95554 --- llvm/lib/Bitcode/Reader/BitcodeReader.cpp | 7 +++++-- llvm/test/Bitcode/invalid-record-strtab.ll | 5 +++++ llvm/test/Bitcode/invalid-record-strtab.ll.bc | Bin 0 -> 2048 bytes 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 llvm/test/Bitcode/invalid-record-strtab.ll create mode 100644 llvm/test/Bitcode/invalid-record-strtab.ll.bc diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp index e002019..1631dc3 100644 --- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp +++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp @@ -3407,9 +3407,12 @@ Error BitcodeReader::parseFunctionRecord(ArrayRef Record) { // Record[16] is the address space number. - // Check whether we have enough values to read a partition name. - if (Record.size() > 18) + // Check whether we have enough values to read a partition name. Also make + // sure Strtab has enough values. + if (Record.size() > 18 && Strtab.data() && + Record[17] + Record[18] <= Strtab.size()) { Func->setPartition(StringRef(Strtab.data() + Record[17], Record[18])); + } ValueList.push_back(Func); diff --git a/llvm/test/Bitcode/invalid-record-strtab.ll b/llvm/test/Bitcode/invalid-record-strtab.ll new file mode 100644 index 0000000..4973090 --- /dev/null +++ b/llvm/test/Bitcode/invalid-record-strtab.ll @@ -0,0 +1,5 @@ +; Bitcode with an invalid record that indexes a name outside of strtab. + +; RUN: not llvm-dis %s.bc -o - 2>&1 | FileCheck %s + +; CHECK: error: Invalid record diff --git a/llvm/test/Bitcode/invalid-record-strtab.ll.bc b/llvm/test/Bitcode/invalid-record-strtab.ll.bc new file mode 100644 index 0000000000000000000000000000000000000000..8ff7e39649cc0db9239f78e442ed91e69bf92daf GIT binary patch literal 2048 zcmZuye{2&~9DmnddndHl+vuQWZM~ygoCLLNowT+!ZEr}4QwtI@6+=6*40FS7F5AFg zE$z68H7R5SMbu!_?{y>7#Bb8~eeauh z@B8`jdgtRt&NXNeQXqs{RF;~1AN(NPc5V3n>U>QjW>p|oh0s+Dp`|hw$zacN_z^Ml z0dF4PproyigIGdUt046z{DqdNZk^0`aH%gxTeWslch3@QOP@cIW6h0~LX!3#lx@$G zZ)q9s?mp&Y%-WLBt*%?0s((7O^#F4+59dD5AY_1SUDbC3v%MEzW*$nwFr64oX)BwO z$)$;06P+4$jTkV$79;&>Gm3}s7^L1+TBVUg>-?%s`-9qCp~54Qi3bv|F|Ep=&YRkw zYHF++Oy^gUX){Ucu*3Y4sH$Uzq-8g=Kx!r1L|uq}^3Kt1SAHJ&>(w#w^1FZB^2Ddx zHvBel*V9K&?Ck!d_P#GZDmvbuPv4#hYhFhl0J<1awyF$$u~I)ID~q~V*|!-*7FRGE zN$uC^{!`Iy!Vr%CyTq+VhyT4sLBFDG!eY_S({&Hsh!Fh(`1A_YZDiDtD;mOD%-zS? z6JpXAC3g1^Po~>dGf49zOT`SC0^31bv}`noUtfi)NQaGd)Mm1t=SxGoE7&XINu4WC~lJcOH*B$2rHa z+;u$eO30msIc-;vc&e3H+bVRx7!@KZArd6I>WHr26>w~KRMBUvj!?4}c}srKP#QE8%Hw3nFvc2kG2>WBIg#QVdCrk8kHS4uO_8Byfdx}%oE$Y} zy{6Au!(_}fIb|pnjXz+fux_J0!`(R$cNPLQ3q*oKcMs8%-q>^{rI8dcJ#HEc87{KM zbEC#*F_Q$CHO_^Un|tH-g6Pa}ZV=?ptgFO1`(P<1Pb>kZLO0+ci9K~hM>@83nx$dS@o?9*$QhM0=8R6hzmtQAb_`j;?}#xSb>bRXYgS zEa=akq-KMfAE%UajOM&WbDq&$4N$viYT81<@|P*)r75ZupnkWQzn={mvN7YC;)+?; zIKvuqtPvc%$le%c4mpo=?qhOCf80@MJ`U~!**$>MFLXx){n%;h5}X{Bh=Y0vy$%;x z4|i_ql8!p?lGxK6NyGCZsOA_K_s$qj4yrGDrK<*Q<~3S=`*e`H5CG{lCCLEIg#dLW z6O9qO>&iEyM*vomF3phv(LRhhhvM#jIrR99Mo0;nD7c2=&H*r7?mirMf%z#Bu09Ge z2w5O6!@X-@E0X?5c#_3ONVL<2a-YBwt*1LN>?X2fJz7C`#)6_6k4?6pQS=>R$7^3a zR2MU^7rXKvDUHMWRKydNKlh-TGkx{H&RRoamZRKMgU|}d*Y%OgB`q^bqS{CCzvtt_zlmpTP+za= z@Wwza5sAvidJwkl9B_k2xy)B)?=a|^;=dyZZ!_e?{pggYswiVK9%&7;vXJ2U=siU literal 0 HcmV?d00001 -- 2.7.4