Fix VN segfault

Message ID nycvar.YFH.7.76.1911291450560.5566@zhemvz.fhfr.qr
State New
Headers show
Series
  • Fix VN segfault
Related show

Commit Message

Richard Biener Nov. 29, 2019, 1:51 p.m.
This probably fixes a buffer overrun reported by Honza.

Bootstrapped and tested on x86_64-unknown-linux-gnu, applied.

Richard.

2019-11-29  Richard Biener  <rguenther@suse.de>

	* tree-ssa-sccvn.c (vn_walk_cb_data::push_partial_def): Bail
	out early for too large objects.

Patch

Index: gcc/tree-ssa-sccvn.c
===================================================================
--- gcc/tree-ssa-sccvn.c	(revision 278832)
+++ gcc/tree-ssa-sccvn.c	(working copy)
@@ -1753,6 +1753,12 @@  void *
 vn_walk_cb_data::push_partial_def (const pd_data &pd, tree vuse,
 				   HOST_WIDE_INT maxsizei)
 {
+  const HOST_WIDE_INT bufsize = 64;
+  /* We're using a fixed buffer for encoding so fail early if the object
+     we want to interpret is bigger.  */
+  if (maxsizei > bufsize * BITS_PER_UNIT)
+    return (void *)-1;
+
   if (partial_defs.is_empty ())
     {
       partial_defs.safe_push (pd);
@@ -1823,16 +1829,17 @@  vn_walk_cb_data::push_partial_def (const
   /* Now simply native encode all partial defs in reverse order.  */
   unsigned ndefs = partial_defs.length ();
   /* We support up to 512-bit values (for V8DFmode).  */
-  unsigned char buffer[64];
+  unsigned char buffer[bufsize];
   int len;
 
   while (!partial_defs.is_empty ())
     {
       pd_data pd = partial_defs.pop ();
+      gcc_checking_assert (pd.offset < bufsize);
       if (TREE_CODE (pd.rhs) == CONSTRUCTOR)
 	/* Empty CONSTRUCTOR.  */
 	memset (buffer + MAX (0, pd.offset),
-		0, MIN ((HOST_WIDE_INT)sizeof (buffer) - MAX (0, pd.offset),
+		0, MIN (bufsize - MAX (0, pd.offset),
 			pd.size + MIN (0, pd.offset)));
       else
 	{
@@ -1847,7 +1854,7 @@  vn_walk_cb_data::push_partial_def (const
 	      pad = GET_MODE_SIZE (mode) - pd.size;
 	    }
 	  len = native_encode_expr (pd.rhs, buffer + MAX (0, pd.offset),
-				    sizeof (buffer) - MAX (0, pd.offset),
+				    bufsize - MAX (0, pd.offset),
 				    MAX (0, -pd.offset) + pad);
 	  if (len <= 0 || len < (pd.size - MAX (0, -pd.offset)))
 	    {