[Reflection] Check that the offset is within the section.

Davide Italiano · Davide Italiano · commit 04606690b9e5 · 2019-05-07T10:23:16.000-07:00
&lt;rdar://problem/49043621&gt;
diff --git a/include/swift/Reflection/Records.h b/include/swift/Reflection/Records.h
@@ -85,10 +85,11 @@ class FieldRecord {
       (const char *)((uintptr_t)MangledTypeName.get() + Offset));
   }
 
-  StringRef getFieldName(uintptr_t Offset)  const {
-    if (FieldName)
-      return (const char *)((uintptr_t)FieldName.get() + Offset);
-    return "";
+  StringRef getFieldName(uintptr_t Offset, uintptr_t Low,
+                         uintptr_t High) const {
+    if (Offset < Low || Offset > High)
+      return "";
+    return (const char *)((uintptr_t)FieldName.get() + Offset);
   }
 
   bool isIndirectCase() const {
diff --git a/stdlib/public/Reflection/TypeRefBuilder.cpp b/stdlib/public/Reflection/TypeRefBuilder.cpp
@@ -194,7 +194,9 @@ bool TypeRefBuilder::getFieldTypeRefs(
                        - FD.second->TypeReference.SectionOffset;
     auto FieldOffset = FD.second->Field.SectionOffset
                      - FD.second->ReflectionString.SectionOffset;
-    auto FieldName = Field.getFieldName(FieldOffset);
+    auto Low = FD.second->ReflectionString.SectionOffset;
+    auto High = FD.second->ReflectionString.Metadata.size();
+    auto FieldName = Field.getFieldName(FieldOffset, Low, High);
 
     // Empty cases of enums do not have a type
     if (FD.first->isEnum() && !Field.hasMangledTypeName()) {
@@ -339,8 +341,10 @@ void TypeRefBuilder::dumpFieldSection(std::ostream &OS) {
         OS << '-';
       OS << '\n';
       for (auto &field : descriptor) {
-        OS << std::string(field.getFieldName(NameOffset).begin(),
-                          field.getFieldName(NameOffset).end());
+        auto Low = sections.ReflectionString.SectionOffset;
+        auto High = sections.ReflectionString.Metadata.size();
+        OS << std::string(field.getFieldName(NameOffset, Low, High).begin(),
+                          field.getFieldName(NameOffset, Low, High).end());
         if (field.hasMangledTypeName()) {
           OS << ": ";
           dumpTypeRef(field.getMangledTypeName(TypeRefOffset), OS);
diff --git a/stdlib/public/runtime/ReflectionMirror.mm b/stdlib/public/runtime/ReflectionMirror.mm
@@ -327,7 +327,8 @@ static bool _shouldReportMissingReflectionMetadataWarnings() {
   
   const FieldDescriptor &descriptor = *fields;
   auto &field = descriptor.getFields()[index];
-  auto name = field.getFieldName(0);
+  // Bounds are always valid as the offset is constant.
+  auto name = field.getFieldName(0, 0, 1);
 
   // Enum cases don't always have types.
   if (!field.hasMangledTypeName())

Original file line number	Diff line number	Diff line change
`@@ -85,10 +85,11 @@ class FieldRecord {`
`85`	`85`	`(const char *)((uintptr_t)MangledTypeName.get() + Offset));`
`86`	`86`	`}`
`87`	`87`
`88`		`- StringRef getFieldName(uintptr_t Offset) const {`
`89`		`- if (FieldName)`
`90`		`- return (const char *)((uintptr_t)FieldName.get() + Offset);`
`91`		`- return "";`
	`88`	`+ StringRef getFieldName(uintptr_t Offset, uintptr_t Low,`
	`89`	`+ uintptr_t High) const {`
	`90`	`+ if (Offset < Low \|\| Offset > High)`
	`91`	`+ return "";`
	`92`	`+ return (const char *)((uintptr_t)FieldName.get() + Offset);`
`92`	`93`	`}`
`93`	`94`
`94`	`95`	`bool isIndirectCase() const {`