Be more strict about the operand for the array type in BitcodeReader

Summary: Bug found with AFL fuzz.

Reviewers: rafael

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D9016

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@235596 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/Bitcode/Reader/BitstreamReader.cpp b/lib/Bitcode/Reader/BitstreamReader.cpp
index ff37b8e4cfc7782310bec05e66923951d0bcd7f8..2f34532ae9357f7ec391a130cdcc6440515a10c5 100644 (file)
--- a/lib/Bitcode/Reader/BitstreamReader.cpp
+++ b/lib/Bitcode/Reader/BitstreamReader.cpp
@@ -201,6 +201,9 @@ unsigned BitstreamCursor::readRecord(unsigned AbbrevID,
       // Get the element encoding.
       assert(i+2 == e && "array op not second to last?");
       const BitCodeAbbrevOp &EltEnc = Abbv->getOperandInfo(++i);
+      if (EltEnc.getEncoding() == BitCodeAbbrevOp::Array ||
+          EltEnc.getEncoding() == BitCodeAbbrevOp::Blob)
+        report_fatal_error("Array element type can't be an Array or a Blob");
 
       // Read all the elements.
       for (; NumElts; --NumElts)

diff --git a/test/Bitcode/Inputs/invalid-array-type.bc b/test/Bitcode/Inputs/invalid-array-type.bc
new file mode 100644 (file)
index 0000000..3a4b635
Binary files /dev/null and b/test/Bitcode/Inputs/invalid-array-type.bc differ

diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test
index b6c2ed3e8d6b2e8bb85866c9153822dacee92321..1d8e14230ff4c9f348affbb540bbe1c48a858e7d 100644 (file)
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@@ -73,3 +73,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-fixed-size-too-big.bc
 RUN:   FileCheck --check-prefix=HUGE-ABBREV-OP %s
 
 HUGE-ABBREV-OP: Fixed or VBR abbrev record with size > MaxChunkData
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-type.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=ARRAY-TYPE %s
+
+ARRAY-TYPE: Array element type can't be an Array or a Blob