From c3ccd67d726a284addde38c9d96dda666143274a Mon Sep 17 00:00:00 2001 From: Filipe Cabecinhas Date: Tue, 19 May 2015 00:34:17 +0000 Subject: [PATCH] [BitcodeReader] It's a malformed block if CodeLenWidth is too big Bug found with AFL fuzz. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237646 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Bitcode/Reader/BitstreamReader.cpp | 4 ++++ test/Bitcode/Inputs/invalid-code-len-width.bc | Bin 0 -> 173 bytes test/Bitcode/invalid.test | 5 +++++ 3 files changed, 9 insertions(+) create mode 100644 test/Bitcode/Inputs/invalid-code-len-width.bc diff --git a/lib/Bitcode/Reader/BitstreamReader.cpp b/lib/Bitcode/Reader/BitstreamReader.cpp index dff6d181486..450bbbc4558 100644 --- a/lib/Bitcode/Reader/BitstreamReader.cpp +++ b/lib/Bitcode/Reader/BitstreamReader.cpp @@ -39,6 +39,10 @@ bool BitstreamCursor::EnterSubBlock(unsigned BlockID, unsigned *NumWordsP) { // Get the codesize of this block. CurCodeSize = ReadVBR(bitc::CodeLenWidth); + // We can't read more than MaxChunkSize at a time + if (CurCodeSize > MaxChunkSize) + return true; + SkipToFourByteBoundary(); unsigned NumWords = Read(bitc::BlockSizeWidth); if (NumWordsP) *NumWordsP = NumWords; diff --git a/test/Bitcode/Inputs/invalid-code-len-width.bc b/test/Bitcode/Inputs/invalid-code-len-width.bc new file mode 100644 index 0000000000000000000000000000000000000000..c8e8c4f66538931187d3cfbe3b80c1f1ee3ce76f GIT binary patch literal 173 zcmZ>AK5$Qw=NUsD0|NthlLEv4|Nk3={=Z;gZ&aS>B=G-#y?~MBB*qpVRaOp3IhO9E z1_4(lr%BvSEdoX&790{~0t_xH9$XU?m2EqmEn1qT&oJAbaJKDXwgsA3sKCI$2BgI{ zDD=9x1hXCqYG7e7EK*@V!y%ZoV!;ZBV;=-q7#KRa85sD1%8ZmaI2BS_S%j6Aw6HV? QDqc-&1 | \ +RUN: FileCheck --check-prefix=INVALID-CODELENWIDTH %s + +INVALID-CODELENWIDTH: Malformed block -- 2.34.1