From 0c553bff8e76ebfbf9cd4e94ff565018ed1ff0c1 Mon Sep 17 00:00:00 2001
From: Nikita Popov <npopov@redhat.com>
Date: Mon, 7 Feb 2022 11:51:19 +0100
Subject: [PATCH] [Bitcode] Guard against out of bounds value reference

We should make sure that the value ID is in bounds, otherwise
we will assert / read out of bounds.
---
 llvm/lib/Bitcode/Reader/BitcodeReader.cpp        |   8 ++++++--
 .../Bitcode/Inputs/invalid-value-symbol-table.bc | Bin 0 -> 1192 bytes
 llvm/test/Bitcode/invalid.test                   |   5 +++++
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 llvm/test/Bitcode/Inputs/invalid-value-symbol-table.bc

diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
index 308986a588f4..c24dcf030deb 100644
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -2107,11 +2107,15 @@ Error BitcodeReader::parseGlobalValueSymbolTable() {
     if (!MaybeRecord)
       return MaybeRecord.takeError();
     switch (MaybeRecord.get()) {
-    case bitc::VST_CODE_FNENTRY: // [valueid, offset]
+    case bitc::VST_CODE_FNENTRY: { // [valueid, offset]
+      unsigned ValueID = Record[0];
+      if (ValueID >= ValueList.size() || !ValueList[ValueID])
+        return error("Invalid value reference in symbol table");
       setDeferredFunctionInfo(FuncBitcodeOffsetDelta,
-                              cast<Function>(ValueList[Record[0]]), Record);
+                              cast<Function>(ValueList[ValueID]), Record);
       break;
     }
+    }
   }
 }
 
diff --git a/llvm/test/Bitcode/Inputs/invalid-value-symbol-table.bc b/llvm/test/Bitcode/Inputs/invalid-value-symbol-table.bc
new file mode 100644
index 0000000000000000000000000000000000000000..509133ef46cdaccab734b030964a8eed6b68c835
GIT binary patch
literal 1192
zcmXw3e@q*76#uqYdS~grcbkN@a#!zwX)_gW#UHKL8rws}IAa(02TLGp85Gch*U~^?
zy0mMTW3hj9gv|bdIuiczznYMZKZw#EVkH%EF@{7!sFWX?j*tzPB`)f>pf9=i?tSy_
zz4!UN_dS<5zy4Ac02Kg$PCZ}$&V{diAOAJ;ZcVPfS!JmJoE`wE0-#dO0X2%LMh_mX
zyWz}f-qKPQ+qf#OKUF~(O`1<SBh(ve*LbBXPFbp~gyC(S#WmI{EpT<sC*%a>99MVc
zh_9+xv1N??US)B`4X4eglV?6kx8GnFawzY07Jy^OT55?W*v=NfJy)NixKl_OpVeQR
zPI_Ej?QDJ5RbW)5>Hww_Bh4#%P5!v%O#*w0I}3k|{BZlu#e@5kf9sZawr;07Zho`a
zZ@rRu?aq2Ic;WM*FFO1WlR83+O8hSokX&Wm=W79AtFcefX%i8l7YekmO63?6t#Kvc
zir^z*d@vQzZv*lk1rH*yN$)acGtBZ7?c*yB!(ugg%#jlv3CxiXCqfc_nZQR{Wl6$E
zC2S}xORQ|nABUwREb!z2Pj2qReK%~P7MOL8Ugemq*W}}`3v)4HMYPRe_PLlnjtTkw
zsv!@4xfg$>R}LZ_k)@<8dGH}KKJ=&pr5%pQ7YR9Fkb^0CBo%#rZy)Y$z(40<iN`u~
zQ*?2P&L8SEFTKRk3sGjttNkS@+H#^Tb*N_*>x5_>!-NT?5fy!WRrnbb(u)4OK3Qs$
zgHkNii-$dO$RLMq$;RdP$UQ*bcf(>5ZoW<ySXe?RSTnPhF=d^myBxh1HLY#X#RBt(
z%H%Vgv!=yYCu2h1UH=~tk31a4!>My;50Ye=0n_`YB`>|pG3y!Tipo@Om}B<6+Vj_9
z*1RI5MF%3}an@cGg)!tRiEniXsXUDOA@ET%9!y2sHz`<}hg)v=fUnEkb()HWldA=0
z9W~Hu6w)!rOspoZSQDZxuh?fZww!`6+Vib50Rl%|1rUL4vhmkNSn`nfHnjUJxy6%P
zEcwt42PnA7L*zc#(Eh#wi*ERculud!rL$3HwQ#b;G20xoz%gioyWG=0_A_Blbj)J5
ziI^?lHixE<z>cCmTjgO12jEKs036z}N?p*5W`~cqNhuVsAeL+^%GGUpaq8Hvv%Fd;
z?GY!{FK&9^jvG-;7R!W_J8pQ8jzsYh^Wi3hWrU*4Lz^_ISZ7qibj&fKs6RkUMXwd;
zHI^=V%X&9z%6jRQDLQx5yy_<kfbvDa^Y-bOFo_lbbKHvA(J~|zblriM1we=FlbXz|
z(?X~yjhgSZQb2>wswwacrFoemTBvs99!h`(07GvUNY%#wIT8dJbfEtSDg{np69Hs^
z?@Utz-@y0uh5Y`Z{>D)EV5reKIN06a>F*9UUh0>^mwJ0%_%PVj9qb$EY4H2YA0hb{
D@{*#x

literal 0
HcmV?d00001

diff --git a/llvm/test/Bitcode/invalid.test b/llvm/test/Bitcode/invalid.test
index 7dabafdb6d0c..32f93ab160e9 100644
--- a/llvm/test/Bitcode/invalid.test
+++ b/llvm/test/Bitcode/invalid.test
@@ -266,3 +266,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/unterminated-blob.bc 2>&1 | \
 RUN:   FileCheck --check-prefix=UNTERMINATED-BLOB %s
 
 UNTERMINATED-BLOB: Blob ends too soon
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-value-symbol-table.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-VALUE-SYMBOL-TABLE %s
+
+INVALID-VALUE-SYMBOL-TABLE: Invalid value reference in symbol table