Add bounds checking to solve_phi_insertion

jserv · jserv · commit 2bc47d30cf4d · 2025-08-13T16:30:46.000+08:00
Prevent buffer overflow in phi node insertion algorithm by adding
bounds checks to the fixed-size work_list array (64 elements).
diff --git a/src/ssa.c b/src/ssa.c
@@ -607,8 +607,11 @@ void solve_phi_insertion(void)
             int work_list_idx = 0;
 
             for (ref_block_t *ref = var->ref_block_list.head; ref;
-                 ref = ref->next)
+                 ref = ref->next) {
+                if (work_list_idx >= 64) /* Prevent buffer overflow */
+                    break;
                 work_list[work_list_idx++] = ref->bb;
+            }
 
             for (int i = 0; i < work_list_idx; i++) {
                 basic_block_t *bb = work_list[i];
@@ -653,7 +656,7 @@ void solve_phi_insertion(void)
                                 break;
                             }
                         }
-                        if (!found)
+                        if (!found && work_list_idx < 64) /* Bounds check */
                             work_list[work_list_idx++] = df;
                     }
                 }

Original file line number	Diff line number	Diff line change
`@@ -607,8 +607,11 @@ void solve_phi_insertion(void)`
`607`	`607`	`int work_list_idx = 0;`
`608`	`608`
`609`	`609`	`for (ref_block_t *ref = var->ref_block_list.head; ref;`
`610`		`- ref = ref->next)`
	`610`	`+ ref = ref->next) {`
	`611`	`+ if (work_list_idx >= 64) /* Prevent buffer overflow */`
	`612`	`+ break;`
`611`	`613`	`work_list[work_list_idx++] = ref->bb;`
	`614`	`+ }`
`612`	`615`
`613`	`616`	`for (int i = 0; i < work_list_idx; i++) {`
`614`	`617`	`basic_block_t *bb = work_list[i];`
`@@ -653,7 +656,7 @@ void solve_phi_insertion(void)`
`653`	`656`	`break;`
`654`	`657`	`}`
`655`	`658`	`}`
`656`		`- if (!found)`
	`659`	`+ if (!found && work_list_idx < 64) /* Bounds check */`
`657`	`660`	`work_list[work_list_idx++] = df;`
`658`	`661`	`}`
`659`	`662`	`}`