[BitcodeReader] Fix asserts when we read a non-vector type for insert/extract/shuffle

Added some additional checking for vector types + tests.

Bug found with AFL fuzz.

llvm-svn: 235710

5 files changed, 18 insertions, 2 deletions

diff --git a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
index a16be24a5b5..57cd1d434dc 100644
--- a/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/llvm/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -3646,6 +3646,8 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) {
       if (getValueTypePair(Record, OpNum, NextValueNo, Vec) ||
           getValueTypePair(Record, OpNum, NextValueNo, Idx))
         return Error("Invalid record");
+      if (!Vec->getType()->isVectorTy())
+        return Error("Invalid type for value");
       I = ExtractElementInst::Create(Vec, Idx);
       InstructionList.push_back(I);
       break;
@@ -3654,8 +3656,11 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) {
     case bitc::FUNC_CODE_INST_INSERTELT: { // INSERTELT: [ty, opval,opval,opval]
       unsigned OpNum = 0;
       Value *Vec, *Elt, *Idx;
-      if (getValueTypePair(Record, OpNum, NextValueNo, Vec) ||
-          popValue(Record, OpNum, NextValueNo,
+      if (getValueTypePair(Record, OpNum, NextValueNo, Vec))
+        return Error("Invalid record");
+      if (!Vec->getType()->isVectorTy())
+        return Error("Invalid type for value");
+      if (popValue(Record, OpNum, NextValueNo,
                    cast<VectorType>(Vec->getType())->getElementType(), Elt) ||
           getValueTypePair(Record, OpNum, NextValueNo, Idx))
         return Error("Invalid record");
@@ -3673,6 +3678,8 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) {
 
       if (getValueTypePair(Record, OpNum, NextValueNo, Mask))
         return Error("Invalid record");
+      if (!Vec1->getType()->isVectorTy() || !Vec2->getType()->isVectorTy())
+        return Error("Invalid type for value");
       I = new ShuffleVectorInst(Vec1, Vec2, Mask);
       InstructionList.push_back(I);
       break;
diff --git a/llvm/test/Bitcode/Inputs/invalid-non-vector-extractelement.bc b/llvm/test/Bitcode/Inputs/invalid-non-vector-extractelement.bc
new file mode 100644
index 00000000000..6fee7edad87
--- /dev/null
+++ b/llvm/test/Bitcode/Inputs/invalid-non-vector-extractelement.bc
diff --git a/llvm/test/Bitcode/Inputs/invalid-non-vector-insertelement.bc b/llvm/test/Bitcode/Inputs/invalid-non-vector-insertelement.bc
new file mode 100644
index 00000000000..36271657791
--- /dev/null
+++ b/llvm/test/Bitcode/Inputs/invalid-non-vector-insertelement.bc
diff --git a/llvm/test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc b/llvm/test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc
new file mode 100644
index 00000000000..6c83a4dcb76
--- /dev/null
+++ b/llvm/test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc
diff --git a/llvm/test/Bitcode/invalid.test b/llvm/test/Bitcode/invalid.test
index 1d8e14230ff..f2271e81f5b 100644
--- a/llvm/test/Bitcode/invalid.test
+++ b/llvm/test/Bitcode/invalid.test
@@ -78,3 +78,12 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-type.bc 2>&1 | \
 RUN:   FileCheck --check-prefix=ARRAY-TYPE %s
 
 ARRAY-TYPE: Array element type can't be an Array or a Blob
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-extractelement.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-TYPE %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-insertelement.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-TYPE %s
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-shufflevector.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=INVALID-TYPE %s
+
+INVALID-TYPE: Invalid type for value