Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / b97d18945b821fe4f9b4c7059eb87e2a8734ab5d^! / . / llvm / lib / Target / RISCV / Disassembler / RISCVDisassembler.cpp
commitb97d18945b821fe4f9b4c7059eb87e2a8734ab5d[log] [tgz]
authorAna Pazos <apazos@codeaurora.org>Fri Sep 07 18:23:19 2018 +0000
committerAna Pazos <apazos@codeaurora.org>Fri Sep 07 18:23:19 2018 +0000
treee9067228646b62a0224792bc0cbb7b55bf12fa54
parentf06ffeee21aabbf1ae94a06df4374f296ab81ddb [diff] [blame]
[RISCV] Fix AddressSanitizer heap-buffer-overflow in disassembling

Summary:
RISCVDisassembler should check number of bytes available before reading them.
Crash noticed when enabling -DLLVM_USE_SANITIZER=Address.

This bug was uncovered by a LLVM MC Disassembler Protocol Buffer Fuzzer for the RISC-V assembly language.

Reviewers: asb

Reviewed By: asb

Subscribers: rbar, johnrusso, simoncook, sabuasal, niosHD, kito-cheng, shiva0217, zzheng, edward-jones, mgrang, rogfer01, MartinMosbeck, brucehoult, the_o, rkruppe, PkmX, jocewei, asb

Differential Revision: https://reviews.llvm.org/D51708

llvm-svn: 341686

diff --git a/llvm/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp b/llvm/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp
index 7bbb371..a2a6ffc 100644
--- a/llvm/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp
+++ b/llvm/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp

@@ -257,11 +257,19 @@
 
   // It's a 32 bit instruction if bit 0 and 1 are 1.
   if ((Bytes[0] & 0x3) == 0x3) {
+    if (Bytes.size() < 4) {
+      Size = 0;
+      return MCDisassembler::Fail;
+    }
     Insn = support::endian::read32le(Bytes.data());
     LLVM_DEBUG(dbgs() << "Trying RISCV32 table :\n");
     Result = decodeInstruction(DecoderTable32, MI, Insn, Address, this, STI);
     Size = 4;
   } else {
+    if (Bytes.size() < 2) {
+      Size = 0;
+      return MCDisassembler::Fail;
+    }
     Insn = support::endian::read16le(Bytes.data());
 
     if (!STI.getFeatureBits()[RISCV::Feature64Bit]) {