From 023602239049dfeaa6eb898ddad9cfce790dc16e Mon Sep 17 00:00:00 2001
From: Filipe Cabecinhas <me@filcab.net>
Date: Thu, 23 Apr 2015 13:38:21 +0000
Subject: [PATCH] Be more strict about the operand for the array type in
 BitcodeReader

Summary: Bug found with AFL fuzz.

Reviewers: rafael

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D9016

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@235596 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/Bitcode/Reader/BitstreamReader.cpp    |   3 +++
 test/Bitcode/Inputs/invalid-array-type.bc | Bin 0 -> 612 bytes
 test/Bitcode/invalid.test                 |   5 +++++
 3 files changed, 8 insertions(+)
 create mode 100644 test/Bitcode/Inputs/invalid-array-type.bc

diff --git a/lib/Bitcode/Reader/BitstreamReader.cpp b/lib/Bitcode/Reader/BitstreamReader.cpp
index ff37b8e4cfc..2f34532ae93 100644
--- a/lib/Bitcode/Reader/BitstreamReader.cpp
+++ b/lib/Bitcode/Reader/BitstreamReader.cpp
@@ -201,6 +201,9 @@ unsigned BitstreamCursor::readRecord(unsigned AbbrevID,
       // Get the element encoding.
       assert(i+2 == e && "array op not second to last?");
       const BitCodeAbbrevOp &EltEnc = Abbv->getOperandInfo(++i);
+      if (EltEnc.getEncoding() == BitCodeAbbrevOp::Array ||
+          EltEnc.getEncoding() == BitCodeAbbrevOp::Blob)
+        report_fatal_error("Array element type can't be an Array or a Blob");
 
       // Read all the elements.
       for (; NumElts; --NumElts)
diff --git a/test/Bitcode/Inputs/invalid-array-type.bc b/test/Bitcode/Inputs/invalid-array-type.bc
new file mode 100644
index 0000000000000000000000000000000000000000..3a4b635dd0ee7085eb6595283e5a300b662cdd3c
GIT binary patch
literal 612
zcmZ>AK5$Qwhk;=l0|NthlL7-1kQM@B_D1E2jwe_=*#wL%Co#78sIqcM%CU4OHSoAH
zIZfhrN)a#;vEY#K<T7$m@!*=EsC*=-fk#rYNQM2x34x>)3syKB`@je^r&ED}feT0*
zDV^X@NNHu6thl5FNIY&?I6*|nr>%#(CB;WTK$)SK#Y0d4XtDDYkS-vQSOjzx2pkYd
zg)kV}G?*bQ0~bjMqe1Z$RPIS41A`!tZOqXibL62+nh2w9hqFb?;U1?3_R0$O;u(cJ
z&lvdM3h;et;4|iNk~?%z_S{05Gy_(!vS#Ts%(f?-ZF`t)fo2pcFfeccX*UIniM%`x
z#u5h<WV=}fx=UQb3}XCJm{=5KK~^y&Dljnc18HFvN7jQg6=DvwJ!EkcFh5WL6bI>N
z4-hyjl9;9tvsG3=Q1NP;gG)<FG?Sp<rCcr-7Y_@d3WyopKpJEQ<1B>)hQo~vY(PFX
uy-?qS?S<)aoTZRLtR9e?K=w2ySqQLT+5r@SxCf^0Ad%`AlX05|G7|v2w|?*d

literal 0
HcmV?d00001

diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test
index b6c2ed3e8d6..1d8e14230ff 100644
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@@ -73,3 +73,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-fixed-size-too-big.bc
 RUN:   FileCheck --check-prefix=HUGE-ABBREV-OP %s
 
 HUGE-ABBREV-OP: Fixed or VBR abbrev record with size > MaxChunkData
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-type.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=ARRAY-TYPE %s
+
+ARRAY-TYPE: Array element type can't be an Array or a Blob
-- 
2.34.1