Merge pull request swiftlang#29986 from slavapestov/bounds-check-vtable-override-descriptor

slavapestov · web-flow · commit 4609b1c4446a · 2020-02-21T13:13:14.000-05:00
Runtime: Bounds check method override descriptors
diff --git a/stdlib/public/runtime/Metadata.cpp b/stdlib/public/runtime/Metadata.cpp
@@ -2383,11 +2383,20 @@ static void initClassVTable(ClassMetadata *self) {
       // Calculate the base method's vtable offset from the
       // base method descriptor. The offset will be relative
       // to the base class's vtable start offset.
-      auto baseClassMethods = baseClass->getMethodDescriptors().data();
-      auto offset = baseMethod - baseClassMethods;
+      auto baseClassMethods = baseClass->getMethodDescriptors();
+
+      // If the method descriptor doesn't land within the bounds of the
+      // method table, abort.
+      if (baseMethod < baseClassMethods.begin() ||
+          baseMethod >= baseClassMethods.end()) {
+        fatalError(0, "resilient vtable at %p contains out-of-bounds "
+                   "method descriptor %p\n",
+                   overrideTable, baseMethod);
+      }
 
       // Install the method override in our vtable.
       auto baseVTable = baseClass->getVTableDescriptor();
+      auto offset = baseMethod - baseClassMethods.data();
       classWords[baseVTable->getVTableOffset(baseClass) + offset]
         = descriptor.Impl.get();
     }
