[Bitcode] Prevent OOB read for invalid name size

2022-02-08 09:48:43 +01:00 · 2022-02-08 09:48:43 +01:00 · 6d52ea885f
parent 67348c8acf
commit 6d52ea885f
3 changed files with 7 additions and 0 deletions
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@ -3243,6 +3243,8 @@ Error BitcodeReader::parseComdatRecord(ArrayRef<uint64_t> Record) {
    if (Record.size() < 2)
      return error("Invalid record");
    unsigned ComdatNameSize = Record[1];
+    if (ComdatNameSize > Record.size() - 2)
+      return error("Comdat name size too large");
    OldFormatName.reserve(ComdatNameSize);
    for (unsigned i = 0; i != ComdatNameSize; ++i)
      OldFormatName += (char)Record[2 + i];
--- a/llvm/test/Bitcode/Inputs/comdat-name-too-large.bc
+++ b/llvm/test/Bitcode/Inputs/comdat-name-too-large.bc
--- a/llvm/test/Bitcode/invalid.test
+++ b/llvm/test/Bitcode/invalid.test
@ -271,3 +271,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/unterminated-vbr.bc 2>&1 | \
 RUN:   FileCheck --check-prefix=UNTERMINATED-VBR %s

 UNTERMINATED-VBR: Unterminated VBR
+
+RUN: not llvm-dis -disable-output %p/Inputs/comdat-name-too-large.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=COMDAT-NAME-TOO-LARGE %s
+
+COMDAT-NAME-TOO-LARGE: Comdat name size too large