[BitcodeReader] It's a malformed block if CodeLenWidth is too big

Bug found with AFL fuzz.

llvm-svn: 237646

3 files changed, 9 insertions, 0 deletions

diff --git a/llvm/lib/Bitcode/Reader/BitstreamReader.cpp b/llvm/lib/Bitcode/Reader/BitstreamReader.cpp
index dff6d181486..450bbbc4558 100644
--- a/llvm/lib/Bitcode/Reader/BitstreamReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitstreamReader.cpp
@@ -39,6 +39,10 @@ bool BitstreamCursor::EnterSubBlock(unsigned BlockID, unsigned *NumWordsP) {
 
   // Get the codesize of this block.
   CurCodeSize = ReadVBR(bitc::CodeLenWidth);
+  // We can't read more than MaxChunkSize at a time
+  if (CurCodeSize > MaxChunkSize)
+    return true;
+
   SkipToFourByteBoundary();
   unsigned NumWords = Read(bitc::BlockSizeWidth);
   if (NumWordsP) *NumWordsP = NumWords;
diff --git a/llvm/test/Bitcode/Inputs/invalid-code-len-width.bc b/llvm/test/Bitcode/Inputs/invalid-code-len-width.bc
new file mode 100644
index 00000000000..c8e8c4f6653
--- /dev/null
+++ b/llvm/test/Bitcode/Inputs/invalid-code-len-width.bc
diff --git a/llvm/test/Bitcode/invalid.test b/llvm/test/Bitcode/invalid.test
index 921d4e62c04..c4c635e08d3 100644
--- a/llvm/test/Bitcode/invalid.test
+++ b/llvm/test/Bitcode/invalid.test
@@ -147,3 +147,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-inserted-value-type-mismatch
 RUN:   FileCheck --check-prefix=INSERT-TYPE-MISMATCH %s
 
 INSERT-TYPE-MISMATCH: Inserted value type doesn't match aggregate type
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-code-len-width.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-CODELENWIDTH %s
+
+INVALID-CODELENWIDTH: Malformed block