mirrors/yosys
3
0
Fork 0
mirror of https://github.com/YosysHQ/yosys synced 2025-10-30 11:12:29 +00:00
Code Activity

Limit the maximum size of parsed RTLIL constants to 1 Gb.

Browse source 
Without this check it's trivially easy to crash Yosys with a tiny RTLIL input
by specifying a constant with very large width. Fuzz testers love hitting this
over and over again.
This commit is contained in:
Robert O'Callahan 2025-09-16 01:17:45 +00:00
parent ac4cb5e460
commit 915ad949f9
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
frontends/rtlil/rtlil_frontend.cc
View file

@ -31,6 +31,10 @@
YOSYS_NAMESPACE_BEGIN
struct RTLILFrontendWorker {
// Forbid constants of more than 1 Gb.
// This will help us not explode on malicious RTLIL.
static constexpr int MAX_CONST_WIDTH = 1024 * 1024 * 1024;
std::istream *f = nullptr;
RTLIL::Design *design;
bool flag_nooverwrite = false;
@ -267,7 +271,7 @@ struct RTLILFrontendWorker {
// Can't test value<0 here because we need to stop parsing after '-0'
if (negative_value || line[0] != '\'') {
if (width < INT_MIN || width > INT_MAX)
error("Integer %lld out of range in `%s'.", width, error_token());
error("Integer %lld out of range before `%s'.", width, error_token());
consume_whitespace_and_comments();
return RTLIL::Const(width);
}
@ -278,6 +282,8 @@ struct RTLILFrontendWorker {
++idx;
std::vector<RTLIL::State> bits;
if (width > MAX_CONST_WIDTH)
error("Constant width %lld out of range before `%s`.", width, error_token());
bits.reserve(width);
while (true) {
RTLIL::State bit;