From 9183d13f45cad8af7f5cd5eb65056f14db2bab95 Mon Sep 17 00:00:00 2001
From: Filipe Cabecinhas <me@filcab.net>
Date: Mon, 16 Feb 2015 00:03:11 +0000
Subject: [PATCH] [Bitcode reader] Fix a few assertions when reading invalid
 files

Summary:
When creating {insert,extract}value instructions from a BitcodeReader, we
weren't verifying the fields were valid.

Bugs found with afl-fuzz

Reviewers: rafael

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D7325

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@229345 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/Bitcode/Reader/BitcodeReader.cpp          |  32 ++++++++++++++++++
 .../Inputs/invalid-extractval-array-idx.bc    | Bin 0 -> 450 bytes
 .../Inputs/invalid-extractval-struct-idx.bc   | Bin 0 -> 444 bytes
 .../invalid-extractval-too-many-idxs.bc       | Bin 0 -> 452 bytes
 .../Inputs/invalid-insertval-array-idx.bc     | Bin 0 -> 452 bytes
 .../Inputs/invalid-insertval-struct-idx.bc    | Bin 0 -> 444 bytes
 .../Inputs/invalid-insertval-too-many-idxs.bc | Bin 0 -> 452 bytes
 test/Bitcode/invalid.test                     |  21 ++++++++++++
 8 files changed, 53 insertions(+)
 create mode 100644 test/Bitcode/Inputs/invalid-extractval-array-idx.bc
 create mode 100644 test/Bitcode/Inputs/invalid-extractval-struct-idx.bc
 create mode 100644 test/Bitcode/Inputs/invalid-extractval-too-many-idxs.bc
 create mode 100644 test/Bitcode/Inputs/invalid-insertval-array-idx.bc
 create mode 100644 test/Bitcode/Inputs/invalid-insertval-struct-idx.bc
 create mode 100644 test/Bitcode/Inputs/invalid-insertval-too-many-idxs.bc

diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp
index 92a1dcce5bb..4fe054de370 100644
--- a/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -3065,12 +3065,27 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) {
         return Error("Invalid record");
 
       SmallVector<unsigned, 4> EXTRACTVALIdx;
+      Type *CurTy = Agg->getType();
       for (unsigned RecSize = Record.size();
            OpNum != RecSize; ++OpNum) {
+        bool IsArray = CurTy->isArrayTy();
+        bool IsStruct = CurTy->isStructTy();
         uint64_t Index = Record[OpNum];
+
+        if (!IsStruct && !IsArray)
+          return Error("EXTRACTVAL: Invalid type");
         if ((unsigned)Index != Index)
           return Error("Invalid value");
+        if (IsStruct && Index >= CurTy->subtypes().size())
+          return Error("EXTRACTVAL: Invalid struct index");
+        if (IsArray && Index >= CurTy->getArrayNumElements())
+          return Error("EXTRACTVAL: Invalid array index");
         EXTRACTVALIdx.push_back((unsigned)Index);
+
+        if (IsStruct)
+          CurTy = CurTy->subtypes()[Index];
+        else
+          CurTy = CurTy->subtypes()[0];
       }
 
       I = ExtractValueInst::Create(Agg, EXTRACTVALIdx);
@@ -3089,12 +3104,29 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) {
         return Error("Invalid record");
 
       SmallVector<unsigned, 4> INSERTVALIdx;
+      Type *CurTy = Agg->getType();
       for (unsigned RecSize = Record.size();
            OpNum != RecSize; ++OpNum) {
+        bool IsArray = CurTy->isArrayTy();
+        bool IsStruct = CurTy->isStructTy();
         uint64_t Index = Record[OpNum];
+
+        if (!IsStruct && !IsArray)
+          return Error("INSERTVAL: Invalid type");
+        if (!CurTy->isStructTy() && !CurTy->isArrayTy())
+          return Error("Invalid type");
         if ((unsigned)Index != Index)
           return Error("Invalid value");
+        if (IsStruct && Index >= CurTy->subtypes().size())
+          return Error("INSERTVAL: Invalid struct index");
+        if (IsArray && Index >= CurTy->getArrayNumElements())
+          return Error("INSERTVAL: Invalid array index");
+
         INSERTVALIdx.push_back((unsigned)Index);
+        if (IsStruct)
+          CurTy = CurTy->subtypes()[Index];
+        else
+          CurTy = CurTy->subtypes()[0];
       }
 
       I = InsertValueInst::Create(Agg, Val, INSERTVALIdx);
diff --git a/test/Bitcode/Inputs/invalid-extractval-array-idx.bc b/test/Bitcode/Inputs/invalid-extractval-array-idx.bc
new file mode 100644
index 0000000000000000000000000000000000000000..7465df361c0557e284b7c1388bd194493df00b7b
GIT binary patch
literal 450
zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8U$RK
zoF;KQwFnrASa3*qav8a(cyLWnR6Y{az$2+xq{4oJLojK@f)x(OJ}?5!=~Q4~;0Mx1
zN*tUDDXlERN=sUR#N(EQ6GVi3I(oQUT6_cylo^UyJcL|?PRKAyoMDh?JjD{mF~RbX
z(t!ye_c%{s0g^x<u}BBPaFAmIG6aFxn4>}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0
zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k
zM<kJfr_fhW!AEpM0MP10pgbr{gjo(|9AfBE<2jhY%*e8smqj4KLI5bv1;p$D0%t`M
z)f8g3@^VbiWjRzD%_t}sl*{Jg;;~IuKv3~+n}bVB3o}q9#5|DOg;^YRK>9&`6j5d{
mF$U6`1)CWd78f33-~;&?<SK;8qCj)5rUA`KftUl71Ofn@&|;wg

literal 0
HcmV?d00001

diff --git a/test/Bitcode/Inputs/invalid-extractval-struct-idx.bc b/test/Bitcode/Inputs/invalid-extractval-struct-idx.bc
new file mode 100644
index 0000000000000000000000000000000000000000..ccb40f7ebce9bd11261b10eae0770e7dd29e6b3f
GIT binary patch
literal 444
zcmZ>AK5$Qwhk+r7fq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8hBip
zoF;KQr3e^_Sa3*qav8a(cyLWnR6Y{az$2+xq{4pUgh0}Y1uGnmeP9Hd)2YC~05qP#
zNa+NJLP{&kWW^;dK;m)B!U-ZmK5aeREh#<%63Pt4EC~e%TiR4y8#0(d`kZAzE`fj(
zhk^QmOk<7)nIjKn(nJ_-JDe?A4)-`Uuvb>F7tbi<dB(v1R)FtI1D`REliZ<$vga1c
zq#3Y+l{HJBVYWTtY}><Zd#0kNq=3DegT2zDy`X@-s(`tyqP;+&UGj_|-<t`14-NS9
z4EP^^;QJ83XDo0;_MW254Mo{QiE?QMoz{DrtuHuRZeh0B(`?hiY<=c~NLd1Vbq2e6
zMtc#EY-lf-&|Z+hUZ%lb_Jb8@Y<WX_JV$$>M0?SU_R1NJI`2O4y?em-^#I=+hC&4f
za5%FC$Q;>Z!N8CR<Z}c4C(PogBLJj9{-3gliD5D4A%g@90S0CuU(A4EVj{D%iw}?u
F0{{<?e$M~^

literal 0
HcmV?d00001

diff --git a/test/Bitcode/Inputs/invalid-extractval-too-many-idxs.bc b/test/Bitcode/Inputs/invalid-extractval-too-many-idxs.bc
new file mode 100644
index 0000000000000000000000000000000000000000..543a3ba7131f19c9b550d499d9fe229aec522c23
GIT binary patch
literal 452
zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8U$RK
zoF;KQwFnrASa3*qav8a(cyLWnR6Y{az$2+xq{4oJLojK@f)x(OJ}?5!=~Q4~;0Mx1
zN*tUDDXlERN=sUR#N(EQ6GVi3I(oQUT6_cylo^UyJcL|?PRKAyoMDh?JjD{mF~RbX
z(t!ye_c%{s0g^x<u}BBPaFAmIG6aFxn4>}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0
zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k
zM<kJfr_fhW!AEpM0MP10pgbr{gjo(|9AfBE<2jhY%*e8smqj4KLI5bv1;p$D0%t`M
z)f8g3@^VbiWjRzD%_t}sl*{Jg;;~IuKv3~+n}bVB3o}q9#5|DOg;^YRK>9&`6j5d{
oF$U6$6`L6tHVYnN2$0|d`5NRdgxR7%ldh%#O-g~71e62<09fy0xc~qF

literal 0
HcmV?d00001

diff --git a/test/Bitcode/Inputs/invalid-insertval-array-idx.bc b/test/Bitcode/Inputs/invalid-insertval-array-idx.bc
new file mode 100644
index 0000000000000000000000000000000000000000..79c3c038a1cd0509d443a97de870c0f801e32e07
GIT binary patch
literal 452
zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8U$RK
zoF;KQwFnrASa3*qav8a(cyLWnR6Y{az$2+xq{4oJLojK@f)x(OJ}?5!=~Q4~;0Mx1
zN*tUDDXlERN=sUR#N(EQ6GVi3I(oQUT6_cylo^UyJcL|?PRKAyoMDh?JjD{mF~RbX
z(t!ye_c%{s0g^x<u}BBPaFAmIG6aFxn4>}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0
zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k
zM<kJfr_fhW!AEpM0MP10pgbr{gjo(|9AfBE<2jhY%*e8smqj4KLI5bv1;p$D0%t`M
z)f8g3@^VbiWjRzD%_t}sl*{Jg;;~IuKv3~+n}bVB3o}q9#5|DOg;^YRK>9&`6j5d{
nF$U6`1)G6H;UR_q2|kdoLGD7BEebU0Y8ud_6o^ScNgx0KYCmHc

literal 0
HcmV?d00001

diff --git a/test/Bitcode/Inputs/invalid-insertval-struct-idx.bc b/test/Bitcode/Inputs/invalid-insertval-struct-idx.bc
new file mode 100644
index 0000000000000000000000000000000000000000..ec70384909a6052abcb99e269eb6020b617ba0fc
GIT binary patch
literal 444
zcmZ>AK5$Qwhk+r7fq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8hBip
zoF;KQr3e^_Sa3*qav8a(cyLWnR6Y{az$2+xq{4pUgh0}Y1uGnmeP9Hd)2YC~05qP#
zNa+NJLP{&kWW^;dK;m)B!U-ZmK5aeREh#<%63Pt4EC~e%TiR4y8#0(d`kZAzE`fj(
zhk^QmOk<7)nIjKn(nJ_-JDe?A4)-`Uuvb>F7tbi<dB(v1R)FtI1D`REliZ<$vga1c
zq#3Y+l{HJBVYWTtY}><Zd#0kNq=3DegT2zDy`X@-s(`tyqP;+&UGj_|-<t`14-NS9
z4EP^^;QJ83XDo0;_MW254Mo{QiE?QMoz{DrtuHuRZeh0B(`?hiY<=c~NLd1Vbq2e6
zMtc#EY-lf-&|Z+hUZ%lb_Jb8@Y<WX_JV$$>M0?SU_R1NJI`2O4y?em-^#I=+hC&4f
za5%FC$Q;>Z!N8CR<Z}c4C(PogBLJj9{-3gliD5IZlR<)o00T3SFJ{0nF_GEX#RtfS
F0RRIFeq#Ut

literal 0
HcmV?d00001

diff --git a/test/Bitcode/Inputs/invalid-insertval-too-many-idxs.bc b/test/Bitcode/Inputs/invalid-insertval-too-many-idxs.bc
new file mode 100644
index 0000000000000000000000000000000000000000..fd21ac24cf4550e155f7787470f554f0f48b6633
GIT binary patch
literal 452
zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8U$RK
zoF;KQwFnrASa3*qav8a(cyLWnR6Y{az$2+xq{4oJLojK@f)x(OJ}?5!=~Q4~;0Mx1
zN*tUDDXlERN=sUR#N(EQ6GVi3I(oQUT6_cylo^UyJcL|?PRKAyoMDh?JjD{mF~RbX
z(t!ye_c%{s0g^x<u}BBPaFAmIG6aFxn4>}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0
zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k
zM<kJfr_fhW!AEpM0MP10pgbr{gjo(|9AfBE<2jhY%*e8smqj4KLI5bv1;p$D0%t`M
z)f8g3@^VbiWjRzD%_t}sl*{Jg;;~IuKv3~+n}bVB3o}q9#5|DOg;^YRK>9&`6j5d{
nF$U6`6`O&C;30+p2|kdoLGD7BEebU0Y8ud_6o^ScNgx0KTrXnD

literal 0
HcmV?d00001

diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test
index 3eaa0394dba..84bc9278d91 100644
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@@ -17,3 +17,24 @@ UNEXPECTED-EOF: Unexpected end of file
 BAD-ABBREV-NUMBER: Invalid abbrev number
 BAD-TYPE-TABLE-FORWARD-REF: Invalid TYPE table: Only named structs can be forward referenced
 BAD-BITWIDTH: Bitwidth for integer type out of range
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-extractval-array-idx.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=EXTRACT-ARRAY %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-extractval-struct-idx.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=EXTRACT-STRUCT %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-extractval-too-many-idxs.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=EXTRACT-IDXS %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-insertval-array-idx.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INSERT-ARRAY %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-insertval-struct-idx.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INSERT-STRUCT %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-insertval-too-many-idxs.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INSERT-IDXS %s
+
+
+EXTRACT-ARRAY: EXTRACTVAL: Invalid array index
+EXTRACT-STRUCT: EXTRACTVAL: Invalid struct index
+EXTRACT-IDXS: EXTRACTVAL: Invalid type
+INSERT-ARRAY: INSERTVAL: Invalid array index
+INSERT-STRUCT: INSERTVAL: Invalid struct index
+INSERT-IDXS: INSERTVAL: Invalid type
-- 
2.34.1