From aa84b935f411419a72eccd70d2e7b5a539c57352 Mon Sep 17 00:00:00 2001
From: Mike Ash <mikeash@apple.com>
Date: Fri, 9 Dec 2022 14:08:54 -0500
Subject: [PATCH] [Reflection] Bounds-check vector creation in
 createBoundGenericTypeReconstructingParent.

If argsIndex or numGenericsArgs were out of bounds, we'd end up reading off the beginning or end of the args ArrayRef, resulting in memory allocation failures, segfaults, or reading garbage data. Check that we're reading within the bounds of the array, and fail gracefully if not.

rdar://103142856
---
 include/swift/Reflection/TypeRefBuilder.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/swift/Reflection/TypeRefBuilder.h b/include/swift/Reflection/TypeRefBuilder.h
index daf75a68b3e89..b0458c6896cf0 100644
--- a/include/swift/Reflection/TypeRefBuilder.h
+++ b/include/swift/Reflection/TypeRefBuilder.h
@@ -571,8 +571,13 @@ class TypeRefBuilder {
 
     auto numGenericArgs = genericParamsPerLevel[shapeIndex];
 
+    auto startOffsetFromEnd = argsIndex + numGenericArgs;
+    auto endOffsetFromEnd = argsIndex;
+    if (startOffsetFromEnd > args.size() || endOffsetFromEnd > args.size())
+      return nullptr;
+
     std::vector<const TypeRef *> genericParams(
-        args.end() - argsIndex - numGenericArgs, args.end() - argsIndex);
+        args.end() - startOffsetFromEnd, args.end() - endOffsetFromEnd);
 
     const BoundGenericTypeRef *parent = nullptr;
     if (node->hasChildren()) {