From: Filipe Cabecinhas <me@filcab.net>
Date: Tue, 26 May 2015 23:00:56 +0000 (+0000)
Subject: [BitcodeReader] Sanity check on Comdat ID
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=1c74d4768af8a17e46768662d5551a7553a49747;p=oota-llvm.git

[BitcodeReader] Sanity check on Comdat ID

Shouldn't be an assert, since user input can trigger it.

Bug found with AFL fuzz.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@238261 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp
index 6eef594eaf1..3f21bb9fbac 100644
--- a/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -2956,7 +2956,8 @@ std::error_code BitcodeReader::ParseModule(bool Resume,
 
       if (Record.size() > 11) {
         if (unsigned ComdatID = Record[11]) {
-          assert(ComdatID <= ComdatList.size());
+          if (ComdatID > ComdatList.size())
+            return Error("Invalid global variable comdat ID");
           NewGV->setComdat(ComdatList[ComdatID - 1]);
         }
       } else if (hasImplicitComdat(RawLinkage)) {
@@ -3020,7 +3021,8 @@ std::error_code BitcodeReader::ParseModule(bool Resume,
 
       if (Record.size() > 12) {
         if (unsigned ComdatID = Record[12]) {
-          assert(ComdatID <= ComdatList.size());
+          if (ComdatID > ComdatList.size())
+            return Error("Invalid function comdat ID");
           Func->setComdat(ComdatList[ComdatID - 1]);
         }
       } else if (hasImplicitComdat(RawLinkage)) {
diff --git a/test/Bitcode/Inputs/invalid-function-comdat-id.bc b/test/Bitcode/Inputs/invalid-function-comdat-id.bc
new file mode 100644
index 00000000000..d0ad8234bc8
Binary files /dev/null and b/test/Bitcode/Inputs/invalid-function-comdat-id.bc differ
diff --git a/test/Bitcode/Inputs/invalid-global-var-comdat-id.bc b/test/Bitcode/Inputs/invalid-global-var-comdat-id.bc
new file mode 100644
index 00000000000..93d6ba2169b
Binary files /dev/null and b/test/Bitcode/Inputs/invalid-global-var-comdat-id.bc differ
diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test
index f609d043df4..bd6e265cbb3 100644
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@@ -162,3 +162,13 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-fixme-streaming-blob.bc 2>&1
 RUN:   FileCheck --check-prefix=STREAMING-BLOB %s
 
 STREAMING-BLOB: getPointer in streaming memory objects not allowed
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-function-comdat-id.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-FCOMDAT-ID %s
+
+INVALID-FCOMDAT-ID: Invalid function comdat ID
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-global-var-comdat-id.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-GVCOMDAT-ID %s
+
+INVALID-GVCOMDAT-ID: Invalid global variable comdat ID