From 43a15113ff41f5a7ae40a70ca66a93e8b864f9f3 Mon Sep 17 00:00:00 2001
From: "Emil J. Tywoniak" <emil@tywoniak.eu>
Date: Wed, 11 Feb 2026 12:07:41 +0100
Subject: [PATCH 1/2] aigerparse: add some bounds checks

---
 frontends/aiger/aigerparse.cc | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/frontends/aiger/aigerparse.cc b/frontends/aiger/aigerparse.cc
index 4df37c0cd..a27a23e79 100644
--- a/frontends/aiger/aigerparse.cc
+++ b/frontends/aiger/aigerparse.cc
@@ -286,10 +286,15 @@ end_of_header:
 
 			RTLIL::IdString escaped_s = stringf("\\%s", s);
 			RTLIL::Wire* wire;
-			if (c == 'i') wire = inputs[l1];
-			else if (c == 'l') wire = latches[l1];
-			else if (c == 'o') {
+			if (c == 'i')  {
+				log_assert(l1 < inputs.size());
+				wire = inputs[l1];
+			} else if (c == 'l') {
+				log_assert(l1 < latches.size());
+				wire = latches[l1];
+			} else if (c == 'o') {
 				wire = module->wire(escaped_s);
+				log_assert(l1 < outputs.size());
 				if (wire) {
 					// Could have been renamed by a latch
 					module->swap_names(wire, outputs[l1]);
@@ -297,9 +302,9 @@ end_of_header:
 					goto next;
 				}
 				wire = outputs[l1];
-			}
-			else if (c == 'b') wire = bad_properties[l1];
-			else log_abort();
+			} else if (c == 'b') {
+				wire = bad_properties[l1];
+			} else log_abort();
 
 			module->rename(wire, escaped_s);
 		}

From 2e03ee143478533968716478886634f610219f3a Mon Sep 17 00:00:00 2001
From: Lofty <dan.ravensloft@gmail.com>
Date: Wed, 11 Feb 2026 11:46:17 +0000
Subject: [PATCH 2/2] aigerparse: sanity-check AIGER header

---
 frontends/aiger/aigerparse.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/frontends/aiger/aigerparse.cc b/frontends/aiger/aigerparse.cc
index a27a23e79..e55349aa7 100644
--- a/frontends/aiger/aigerparse.cc
+++ b/frontends/aiger/aigerparse.cc
@@ -657,6 +657,9 @@ void AigerReader::parse_aiger_binary()
 	unsigned l1, l2, l3;
 	std::string line;
 
+	if (M != I + L + A)
+		log_error("Binary AIGER input is malformed: maximum variable index M is %u, but number of inputs, latches and AND gates adds up to %u.\n", M, I + L + A);
+
 	// Parse inputs
 	int digits = decimal_digits(I);
 	for (unsigned i = 1; i <= I; ++i) {