Make sure we don't resize(0) when we get a fwdref with Idx == UINT_MAX

Make it an error instead.

Bug found with AFL fuzz.

llvm-svn: 236190

3 files changed, 9 insertions, 0 deletions

diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
index f49a53805c9..7778125e2d4 100644
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -790,6 +790,10 @@ Constant *BitcodeReaderValueList::getConstantFwdRef(unsigned Idx,
 }
 
 Value *BitcodeReaderValueList::getValueFwdRef(unsigned Idx, Type *Ty) {
+  // Bail out for a clearly invalid value. This would make us call resize(0)
+  if (Idx == UINT_MAX)
+    return nullptr;
+
   if (Idx >= size())
     resize(Idx + 1);
 
diff --git a/llvm/test/Bitcode/Inputs/invalid-too-big-fwdref.bc b/llvm/test/Bitcode/Inputs/invalid-too-big-fwdref.bc
new file mode 100644
index 00000000000..d1d51a634fc
--- /dev/null
+++ b/llvm/test/Bitcode/Inputs/invalid-too-big-fwdref.bc
diff --git a/llvm/test/Bitcode/invalid.test b/llvm/test/Bitcode/invalid.test
index c18ff3d3f61..077f3515128 100644
--- a/llvm/test/Bitcode/invalid.test
+++ b/llvm/test/Bitcode/invalid.test
@@ -112,3 +112,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-op-not-2nd-to-last.bc
 RUN:   FileCheck --check-prefix=ARRAY-NOT-2LAST %s
 
 ARRAY-NOT-2LAST: Array op not second to last
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-too-big-fwdref.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=HUGE-FWDREF %s
+
+HUGE-FWDREF: Invalid record