From f8a16a952dddaf1d38d6f596b78b1041ce5ea2eb Mon Sep 17 00:00:00 2001
From: Filipe Cabecinhas <me@filcab.net>
Date: Thu, 30 Apr 2015 04:09:41 +0000
Subject: [PATCH] Don't overflow GCTable

Summary: Bug found with AFL fuzz.

Reviewers: rafael, dexonsmith

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D9361

llvm-svn: 236200
---
 llvm/lib/Bitcode/Reader/BitcodeReader.cpp            |   2 +-
 llvm/test/Bitcode/Inputs/invalid-GCTable-overflow.bc | Bin 0 -> 452 bytes
 llvm/test/Bitcode/invalid.test                       |   5 +++++
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 llvm/test/Bitcode/Inputs/invalid-GCTable-overflow.bc

diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
index 456df6d..aed1196 100644
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -2992,7 +2992,7 @@ std::error_code BitcodeReader::ParseModule(bool Resume,
         // FIXME: Change to an error if non-default in 4.0.
         Func->setVisibility(GetDecodedVisibility(Record[7]));
       if (Record.size() > 8 && Record[8]) {
-        if (Record[8]-1 > GCTable.size())
+        if (Record[8]-1 >= GCTable.size())
           return Error("Invalid ID");
         Func->setGC(GCTable[Record[8]-1].c_str());
       }
diff --git a/llvm/test/Bitcode/Inputs/invalid-GCTable-overflow.bc b/llvm/test/Bitcode/Inputs/invalid-GCTable-overflow.bc
new file mode 100644
index 0000000000000000000000000000000000000000..a9e9c52e1c04d4f838a0fe6d6c88bb3db0edeb20
GIT binary patch
literal 452
zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8U$RK
zoF;KQwFnrASa3*qav8a(cyLWnR6Y{az$2+xq{4oJLojK@f)x(OJ}@#&Vdzv~VBiOu
zXQafzsgTmjBCNEe1xP$@SvWyN$fu)+yQRfPz(ARyn8icLMd*YKqr@2oiN;ebVH^`I
z4=Ej(0CJD>6c!)}1QLsM!1N~v2R0x>5QvRA>i->iD3d0_Xxrgz(Q>%Qse!$+g1vY~
zA<r`g{<i{rUmEy~d7R`99h5z{P$tcQ6|AgT`V6z}31{0LW?P^cg$fJ|AoIjFDD=9x
z1cSqXr_fhW!AEpM0MP10pgbr{gjo(|9Aa3d#&a-(nUQ5NFN;8eg#b{T3y9eR1kQ>i
zswu>5<>i>3%W|kRno&?ND3{H}#bcYSfS}^tHV2oM7G_tVQm}a-w+pj4>VWiv{3xQ#
lU}6lUHw!j{h(kcn@_~E}au>pEQJ_gz(|{&<GXuq8007rMWS9T|

literal 0
HcmV?d00001

diff --git a/llvm/test/Bitcode/invalid.test b/llvm/test/Bitcode/invalid.test
index 4aff5c00..2fe7798 100644
--- a/llvm/test/Bitcode/invalid.test
+++ b/llvm/test/Bitcode/invalid.test
@@ -122,3 +122,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-load-pointer-type.bc 2>&1 |
 RUN:   FileCheck --check-prefix=LOAD-BAD-TYPE %s
 
 LOAD-BAD-TYPE: Load operand is not a pointer type
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-GCTable-overflow.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=GCTABLE-OFLOW %s
+
+GCTABLE-OFLOW: Invalid ID
-- 
2.7.4