From 40a2e1e338ee856e16859e70c9b6f286902626b1 Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Tue, 24 Oct 2017 07:16:40 +0000
Subject: Add missing checks for register number

Most other cases that touch savedRegisters[reg] have got this check,
but these three seemed to lack it.

Differential Revision: https://reviews.llvm.org/D39206

git-svn-id: https://llvm.org/svn/llvm-project/libunwind/trunk@316415 91177308-0d34-0410-b5e6-96231b3b80d8
---
 src/DwarfParser.hpp | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/DwarfParser.hpp b/src/DwarfParser.hpp
index 3c98d30..d45ad49 100644
--- a/src/DwarfParser.hpp
+++ b/src/DwarfParser.hpp
@@ -605,6 +605,13 @@ bool CFI_Parser<A>::parseInstructions(A &addressSpace, pint_t instructions,
       break;
     case DW_CFA_val_offset:
       reg = addressSpace.getULEB128(p, instructionsEnd);
+      if (reg > kMaxRegisterNumber) {
+        fprintf(stderr,
+                "malformed DW_CFA_val_offset DWARF unwind, reg (%" PRIu64
+                ") out of range\n",
+                reg);
+        return false;
+      }
       offset = (int64_t)addressSpace.getULEB128(p, instructionsEnd)
                                                     * cieInfo.dataAlignFactor;
       results->savedRegisters[reg].location = kRegisterOffsetFromCFA;
@@ -668,6 +675,12 @@ bool CFI_Parser<A>::parseInstructions(A &addressSpace, pint_t instructions,
       switch (opcode & 0xC0) {
       case DW_CFA_offset:
         reg = operand;
+        if (reg > kMaxRegisterNumber) {
+          fprintf(stderr, "malformed DW_CFA_offset DWARF unwind, reg (%" PRIu64
+                          ") out of range\n",
+                  reg);
+          return false;
+        }
         offset = (int64_t)addressSpace.getULEB128(p, instructionsEnd)
                                                     * cieInfo.dataAlignFactor;
         results->savedRegisters[reg].location = kRegisterInCFA;
@@ -682,6 +695,12 @@ bool CFI_Parser<A>::parseInstructions(A &addressSpace, pint_t instructions,
         break;
       case DW_CFA_restore:
         reg = operand;
+        if (reg > kMaxRegisterNumber) {
+          fprintf(stderr, "malformed DW_CFA_restore DWARF unwind, reg (%" PRIu64
+                          ") out of range\n",
+                  reg);
+          return false;
+        }
         results->savedRegisters[reg] = initialState.savedRegisters[reg];
         _LIBUNWIND_TRACE_DWARF("DW_CFA_restore(reg=%" PRIu64 ")\n",
                                static_cast<uint64_t>(operand));
-- 
cgit v1.2.3