[Bitstream] Reject implausibly large reservations

If we're trying to reserve more memory than bits in the stream,
reject this early to avoid OOM.

Author: nikic

llvm/include/llvm/Bitstream/BitstreamReader.h

@@ -299,6 +299,13 @@ class SimpleBitstreamCursor {
 
   /// Skip to the end of the file.
   void skipToEnd() { NextChar = BitcodeBytes.size(); }
+
+  /// Check whether a reservation of Size elements is plausible.
+  bool isSizePlausible(size_t Size) const {
+    // Don't allow reserving more elements than the number of bits, assuming
+    // at least one bit is needed to encode an element.
+    return Size < BitcodeBytes.size() * 8;
+  }
 };
 
 /// When advancing through a bitstream cursor, each advance can discover a few

llvm/lib/Bitstream/Reader/BitstreamReader.cpp

@@ -222,6 +222,8 @@ Expected<unsigned> BitstreamCursor::readRecord(unsigned AbbrevID,
     if (!MaybeNumElts)
       return MaybeNumElts.takeError();
     uint32_t NumElts = MaybeNumElts.get();
+    if (!isSizePlausible(NumElts))
+      return error("Size is not plausible");
     Vals.reserve(Vals.size() + NumElts);
 
     for (unsigned i = 0; i != NumElts; ++i)
@@ -275,6 +277,8 @@ Expected<unsigned> BitstreamCursor::readRecord(unsigned AbbrevID,
       if (!MaybeNumElts)
         return MaybeNumElts.takeError();
       uint32_t NumElts = MaybeNumElts.get();
+      if (!isSizePlausible(NumElts))
+        return error("Size is not plausible");
       Vals.reserve(Vals.size() + NumElts);
 
       // Get the element encoding.

llvm/test/Bitcode/Inputs/size-not-plausible.bc

@@ -251,3 +251,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-number.bc 2>&1 | \
 RUN:   FileCheck --check-prefix=INVALID-ABBREV-NUMBER %s
 
 INVALID-ABBREV-NUMBER: Invalid abbrev number
+
+RUN: not llvm-dis -disable-output %p/Inputs/size-not-plausible.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=SIZE-NOT-PLAUSIBLE %s
+
+SIZE-NOT-PLAUSIBLE: Size is not plausible