Don't overflow GCTable

Summary: Bug found with AFL fuzz.

Reviewers: rafael, dexonsmith

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D9361

llvm-svn: 236200

3 files changed, 6 insertions, 1 deletions

diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
index 456df6dab8e..aed1196f3ce 100644
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -2992,7 +2992,7 @@ std::error_code BitcodeReader::ParseModule(bool Resume,
         // FIXME: Change to an error if non-default in 4.0.
         Func->setVisibility(GetDecodedVisibility(Record[7]));
       if (Record.size() > 8 && Record[8]) {
-        if (Record[8]-1 > GCTable.size())
+        if (Record[8]-1 >= GCTable.size())
           return Error("Invalid ID");
         Func->setGC(GCTable[Record[8]-1].c_str());
       }
diff --git a/llvm/test/Bitcode/Inputs/invalid-GCTable-overflow.bc b/llvm/test/Bitcode/Inputs/invalid-GCTable-overflow.bc
new file mode 100644
index 00000000000..a9e9c52e1c0
--- /dev/null
+++ b/llvm/test/Bitcode/Inputs/invalid-GCTable-overflow.bc
diff --git a/llvm/test/Bitcode/invalid.test b/llvm/test/Bitcode/invalid.test
index 4aff5c00501..2fe77989b2a 100644
--- a/llvm/test/Bitcode/invalid.test
+++ b/llvm/test/Bitcode/invalid.test
@@ -122,3 +122,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-load-pointer-type.bc 2>&1 |
 RUN:   FileCheck --check-prefix=LOAD-BAD-TYPE %s
 
 LOAD-BAD-TYPE: Load operand is not a pointer type
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-GCTable-overflow.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=GCTABLE-OFLOW %s
+
+GCTABLE-OFLOW: Invalid ID