From 6f72ab345de0711aaa5509fd6de38f4eb0ed4070 Mon Sep 17 00:00:00 2001
From: Johnny Chen <johnny.chen@apple.com>
Date: Wed, 14 Apr 2010 02:05:29 +0000
Subject: [PATCH] Fixed another assert exposed by fuzzing.  Now, when an
 encoding error occurs involing getBFCInvMask() where lsb <= msb does not hold
 true, the disassembler just returns false, instead of assert, to indicate
 disassembly error.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@101205 91177308-0d34-0410-b5e6-96231b3b80d8
---
 .../ARM/Disassembler/ARMDisassemblerCore.cpp   | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/lib/Target/ARM/Disassembler/ARMDisassemblerCore.cpp b/lib/Target/ARM/Disassembler/ARMDisassemblerCore.cpp
index aedd22eb3e8..e26b7bd3563 100644
--- a/lib/Target/ARM/Disassembler/ARMDisassemblerCore.cpp
+++ b/lib/Target/ARM/Disassembler/ARMDisassemblerCore.cpp
@@ -15,6 +15,7 @@
 
 #include "ARMDisassemblerCore.h"
 #include "ARMAddressingModes.h"
+#include "llvm/Support/raw_ostream.h"
 
 /// ARMGenInstrInfo.inc - ARMGenInstrInfo.inc contains the static const
 /// TargetInstrDesc ARMInsts[] definition and the TargetOperandInfo[]'s
@@ -885,14 +886,19 @@ static bool DisassembleBrMiscFrm(MCInst &MI, unsigned Opcode, uint32_t insn,
   return false;
 }
 
-static inline uint32_t getBFCInvMask(uint32_t insn) {
+static inline bool getBFCInvMask(uint32_t insn, uint32_t &mask) {
   uint32_t lsb = slice(insn, 11, 7);
   uint32_t msb = slice(insn, 20, 16);
   uint32_t Val = 0;
-  assert(lsb <= msb && "Encoding error: lsb > msb");
+  if (lsb > msb) {
+    errs() << "Encoding error: lsb > msb\n";
+    return false;
+  }
+
   for (uint32_t i = lsb; i <= msb; ++i)
     Val |= (1 << i);
-  return ~Val;
+  mask = ~Val;
+  return true;
 }
 
 static inline bool SaturateOpcode(unsigned Opcode) {
@@ -982,7 +988,11 @@ static bool DisassembleDPFrm(MCInst &MI, unsigned Opcode, uint32_t insn,
     MI.addOperand(MCOperand::CreateReg(Opcode == ARM::BFC ? 0
                                        : getRegisterEnum(ARM::GPRRegClassID,
                                                          decodeRm(insn))));
-    MI.addOperand(MCOperand::CreateImm(getBFCInvMask(insn)));
+    uint32_t mask = 0;
+    if (!getBFCInvMask(insn, mask))
+      return false;
+
+    MI.addOperand(MCOperand::CreateImm(mask));
     OpIdx += 2;
     return true;
   }
-- 
2.34.1