ART: Add method verifier check for call site id

(cherry picked from 3a842f5adcbdeb3fd3db4206006a784ccabfc865)

Bug: 37248626
Test: dex2oat on bug data
Change-Id: I11fbf3b9402406ed0031f47a90a8ab38360a52bb

diff --git a/runtime/verifier/method_verifier.cc b/runtime/verifier/method_verifier.cc
index e09f95c..e1c6af4 100644 (file)
--- a/runtime/verifier/method_verifier.cc
+++ b/runtime/verifier/method_verifier.cc
@@ -4137,6 +4137,12 @@ void MethodVerifier::VerifyInvocationArgsUnresolvedMethod(const Instruction* ins
 }
 
 bool MethodVerifier::CheckCallSite(uint32_t call_site_idx) {
+  if (call_site_idx >= dex_file_->NumCallSiteIds()) {
+    Fail(VERIFY_ERROR_BAD_CLASS_HARD) << "Bad call site id #" << call_site_idx
+                                      << " >= " << dex_file_->NumCallSiteIds();
+    return false;
+  }
+
   CallSiteArrayValueIterator it(*dex_file_, dex_file_->GetCallSiteId(call_site_idx));
   // Check essential arguments are provided. The dex file verifier has verified indicies of the
   // main values (method handle, name, method_type).
@@ -4147,9 +4153,11 @@ bool MethodVerifier::CheckCallSite(uint32_t call_site_idx) {
     return false;
   }
 
-  // Get and check the first argument: the method handle.
+  // Get and check the first argument: the method handle (index range
+  // checked by the dex file verifier).
   uint32_t method_handle_idx = static_cast<uint32_t>(it.GetJavaValue().i);
   it.Next();
+
   const DexFile::MethodHandleItem& mh = dex_file_->GetMethodHandle(method_handle_idx);
   if (mh.method_handle_type_ != static_cast<uint16_t>(DexFile::MethodHandleType::kInvokeStatic)) {
     Fail(VERIFY_ERROR_BAD_CLASS_HARD) << "Call site #" << call_site_idx