From bf27e11e02798832e4d55ff0e3e0368b06ae8895 Mon Sep 17 00:00:00 2001
From: Filipe Cabecinhas <me@filcab.net>
Date: Tue, 19 May 2015 01:21:06 +0000
Subject: [PATCH] [BitcodeReader] Error out if we read an invalid function
 argument type

Bug found with AFL fuzz.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237650 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/Bitcode/Reader/BitcodeReader.cpp              |   5 ++++-
 .../Inputs/invalid-function-argument-type.bc      | Bin 0 -> 452 bytes
 test/Bitcode/invalid.test                         |   5 +++++
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 test/Bitcode/Inputs/invalid-function-argument-type.bc

diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp
index 70b681000a7..bba29172a28 100644
--- a/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -1402,8 +1402,11 @@ std::error_code BitcodeReader::ParseTypeTableBody() {
         return Error("Invalid record");
       SmallVector<Type*, 8> ArgTys;
       for (unsigned i = 2, e = Record.size(); i != e; ++i) {
-        if (Type *T = getTypeByID(Record[i]))
+        if (Type *T = getTypeByID(Record[i])) {
+          if (!FunctionType::isValidArgumentType(T))
+            return Error("Invalid function argument type");
           ArgTys.push_back(T);
+        }
         else
           break;
       }
diff --git a/test/Bitcode/Inputs/invalid-function-argument-type.bc b/test/Bitcode/Inputs/invalid-function-argument-type.bc
new file mode 100644
index 0000000000000000000000000000000000000000..b00fb03cd3138f0b8b19e50f127f468a125a9075
GIT binary patch
literal 452
zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8U$RK
zoF;KQwFnrASa3*qav8a(cyLWnR6Y{az$2+xq{4oJLojK@f)x(OJ}?5!=~Q4~;0Mx1
zN*tUDDXlERN=sUR#N(EQ6GVi3I(oQUT6_cylo^UyJcL|?PRKAyoMDh?JjD_wF~RbX
z(t!ye_c%{s0g^x<u}BBPaFAmIG6aFxn4>}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0
zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k
zM<kJfr_fhW!AEpM0MP10pgbr{gjo(|9AfBE<2jhY%*e8smqj4KLI5bv1;p$D0%t`M
z)f8g3@^VbiWjRzD%_t}sl*{Jg;;~IuKv3~+n}bVB3o}q9#5|DOg;^YRK>9&`6j5d{
lF$U6`1)D*{A)sgZK)wdK3t_e>(4?zrK$B7+CIKaZ003S;VtD`n

literal 0
HcmV?d00001

diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test
index c4c635e08d3..7a2dbdcc1b3 100644
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@@ -152,3 +152,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-code-len-width.bc 2>&1 | \
 RUN:   FileCheck --check-prefix=INVALID-CODELENWIDTH %s
 
 INVALID-CODELENWIDTH: Malformed block
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-function-argument-type.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-ARGUMENT-TYPE %s
+
+INVALID-ARGUMENT-TYPE: Invalid function argument type
-- 
2.34.1