[Bitcode] Guard against out of bounds value reference

We should make sure that the value ID is in bounds, otherwise we will assert / read out of bounds.
2022-02-07 11:51:19 +01:00 · 2022-02-07 11:51:19 +01:00 · 0c553bff8e
parent ec18030f5f
commit 0c553bff8e
3 changed files with 11 additions and 2 deletions
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@ -2107,11 +2107,15 @@ Error BitcodeReader::parseGlobalValueSymbolTable() {
    if (!MaybeRecord)
      return MaybeRecord.takeError();
    switch (MaybeRecord.get()) {
-    case bitc::VST_CODE_FNENTRY: // [valueid, offset]
+    case bitc::VST_CODE_FNENTRY: { // [valueid, offset]
+      unsigned ValueID = Record[0];
+      if (ValueID >= ValueList.size() || !ValueList[ValueID])
+        return error("Invalid value reference in symbol table");
      setDeferredFunctionInfo(FuncBitcodeOffsetDelta,
-                              cast<Function>(ValueList[Record[0]]), Record);
+                              cast<Function>(ValueList[ValueID]), Record);
      break;
    }
+    }
  }
 }

--- a/llvm/test/Bitcode/Inputs/invalid-value-symbol-table.bc
+++ b/llvm/test/Bitcode/Inputs/invalid-value-symbol-table.bc
--- a/llvm/test/Bitcode/invalid.test
+++ b/llvm/test/Bitcode/invalid.test
@ -266,3 +266,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/unterminated-blob.bc 2>&1 | \
 RUN:   FileCheck --check-prefix=UNTERMINATED-BLOB %s

 UNTERMINATED-BLOB: Blob ends too soon
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-value-symbol-table.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-VALUE-SYMBOL-TABLE %s
+
+INVALID-VALUE-SYMBOL-TABLE: Invalid value reference in symbol table