[BitcodeReader] Validate Strtab before accessing.

This fixes a crash with invalid bitcode files that have records referencing names in Strtab, but Strtab is not present or the index is out-of-bounds. This fixes the following clusterfuzz issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29895 Reviewed By: arsenm Differential Revision: https://reviews.llvm.org/D95554
2024-10-18 18:42:46 +02:00 · 2021-06-22 14:48:45 +01:00 · 2021-06-22 14:48:45 +01:00 · 0966169859
commit 0966169859
parent dca0f3abd1
3 changed files with 10 additions and 2 deletions
--- a/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/lib/Bitcode/Reader/BitcodeReader.cpp
@ -3407,9 +3407,12 @@ Error BitcodeReader::parseFunctionRecord(ArrayRef<uint64_t> Record) {

  // Record[16] is the address space number.

-  // Check whether we have enough values to read a partition name.
-  if (Record.size() > 18)
+  // Check whether we have enough values to read a partition name. Also make
+  // sure Strtab has enough values.
+  if (Record.size() > 18 && Strtab.data() &&
+      Record[17] + Record[18] <= Strtab.size()) {
    Func->setPartition(StringRef(Strtab.data() + Record[17], Record[18]));
+  }

  ValueList.push_back(Func);

--- a/test/Bitcode/invalid-record-strtab.ll
+++ b/test/Bitcode/invalid-record-strtab.ll
@ -0,0 +1,5 @@
+; Bitcode with an invalid record that indexes a name outside of strtab.
+
+; RUN: not llvm-dis %s.bc -o - 2>&1 | FileCheck %s
+
+; CHECK: error: Invalid record
--- a/test/Bitcode/invalid-record-strtab.ll.bc
+++ b/test/Bitcode/invalid-record-strtab.ll.bc