Skip to content

Fix IndexOutOfRangeException in ILVerify for invalid exception handler offsets #122056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 4 commits into
base: main
Choose a base branch
from
+101 −8
Draft

Fix IndexOutOfRangeException in ILVerify for invalid exception handler offsets #122056

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ad6fd4f
Fix IndexOutOfRangeException in ILVerify for invalid exception handle…
Copilot Nov 29, 2025
21827c9
Merge branch 'main' into copilot/fix-ilverify-index-out-of-range
jkotas Dec 31, 2025
f8a710b
Merge branch 'main' into copilot/fix-ilverify-index-out-of-range
jkotas Jan 17, 2026
1d9303d
Merge branch 'main' into copilot/fix-ilverify-index-out-of-range
jkotas Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 33 additions & 3 deletions src/coreclr/tools/Common/TypeSystem/IL/ILImporter.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,10 +276,40 @@ private void FindEHTargets()
{
var r = _exceptionRegions[i];

CreateBasicBlock(r.ILRegion.TryOffset).TryStart = true;
// Check try region bounds (avoiding integer overflow)
if ((uint)r.ILRegion.TryOffset >= (uint)_basicBlocks.Length ||
(uint)r.ILRegion.TryLength > (uint)_basicBlocks.Length - (uint)r.ILRegion.TryOffset)
{
ReportInvalidExceptionRegion();
}
else
{
CreateBasicBlock(r.ILRegion.TryOffset).TryStart = true;
}

// Check filter region bounds (for filter exception handlers)
if (r.ILRegion.Kind == ILExceptionRegionKind.Filter)
CreateBasicBlock(r.ILRegion.FilterOffset).FilterStart = true;
CreateBasicBlock(r.ILRegion.HandlerOffset).HandlerStart = true;
{
if ((uint)r.ILRegion.FilterOffset >= (uint)_basicBlocks.Length)
{
ReportInvalidExceptionRegion();
}
else
{
CreateBasicBlock(r.ILRegion.FilterOffset).FilterStart = true;
}
}

// Check handler region bounds (avoiding integer overflow)
if ((uint)r.ILRegion.HandlerOffset >= (uint)_basicBlocks.Length ||
(uint)r.ILRegion.HandlerLength > (uint)_basicBlocks.Length - (uint)r.ILRegion.HandlerOffset)
{
ReportInvalidExceptionRegion();
}
else
{
CreateBasicBlock(r.ILRegion.HandlerOffset).HandlerStart = true;
}
}
}

Expand Down
50 changes: 50 additions & 0 deletions src/coreclr/tools/ILVerification.Tests/ILTests/ExceptionRegionTests.il
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -764,4 +764,54 @@
throw
ret
}

.method public hidebysig instance void TryOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
{
.maxstack 1

ret
// Try region starts at offset 1000 which is beyond code size (code size is 1)
.try 1000 to 1001 catch [System.Runtime]System.Exception handler 0 to 1
}

.method public hidebysig instance void HandlerOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
{
.maxstack 1

ret
// Handler region starts at offset 1000 which is beyond code size (code size is 1)
.try 0 to 1 catch [System.Runtime]System.Exception handler 1000 to 1001
}

.method public hidebysig instance void FilterOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
{
.maxstack 1

ldc.i4.0
endfilter
leave.s IL_0004
IL_0004: ret
// Filter region starts at offset 1000 which is beyond code size (code size is 5)
.try 0 to 2 filter 1000 handler 2 to 4
}

.method public hidebysig instance void TryEndOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
{
.maxstack 1

nop
ret
// Try region ends at offset 1000 which is beyond code size (code size is 2)
.try 0 to 1000 catch [System.Runtime]System.Exception handler 1 to 2
}

.method public hidebysig instance void HandlerEndOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
{
.maxstack 1

nop
ret
// Handler region ends at offset 1000 which is beyond code size (code size is 2)
.try 0 to 1 catch [System.Runtime]System.Exception handler 1 to 1000
}
}
1 change: 1 addition & 0 deletions src/coreclr/tools/ILVerification.Tests/ILTests/ExceptionRegionTests.ilproj
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<Project Sdk="Microsoft.NET.Sdk.IL">
<PropertyGroup>
<AssemblyName>$(MSBuildProjectName)</AssemblyName>
<IlasmFlags>$(IlasmFlags) -ERR</IlasmFlags>
</PropertyGroup>

<ItemGroup>
Expand Down
10 changes: 8 additions & 2 deletions src/coreclr/tools/ILVerification/ILImporter.Verify.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,9 @@ public ILImporter(MethodDesc method, MethodIL methodIL)

public void Verify()
{
// Check code size before any other processing
FatalCheck(_ilBytes.Length > 0, VerifierError.CodeSizeZero);

_instructionBoundaries = new bool[_ilBytes.Length];

FindBasicBlocks();
Expand Down Expand Up @@ -286,8 +289,6 @@ private void FindEnclosingExceptionRegions()
/// </summary>
private void InitialPass()
{
FatalCheck(_ilBytes.Length > 0, VerifierError.CodeSizeZero);

_modifiesThisPtr = false;
_validTargetOffsets = new bool[_ilBytes.Length];

Expand Down Expand Up @@ -2823,6 +2824,11 @@ void ReportInvalidInstruction(ILOpcode opcode)
VerificationError(VerifierError.UnknownOpcode);
}

void ReportInvalidExceptionRegion()
{
VerificationError(VerifierError.EHClauseOutOfRange);
}

//
// Deprecated
//
Expand Down
3 changes: 3 additions & 0 deletions src/coreclr/tools/ILVerification/Strings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,9 @@
<data name="MethodFallthrough" xml:space="preserve">
<value>Fall through end of the method without returning.</value>
</data>
<data name="EHClauseOutOfRange" xml:space="preserve">
<value>Exception handling clause bounds outside code size.</value>
</data>
<data name="NewobjAbstractClass" xml:space="preserve">
<value>Cannot construct an instance of abstract class.</value>
</data>
Expand Down
4 changes: 1 addition & 3 deletions src/coreclr/tools/ILVerification/VerifierError.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,7 @@ public enum VerifierError

MethodFallthrough, // Fall through end of the method without returning.
//E_TRY_GTEQ_END "try start >= try end."
//E_TRYEND_GT_CS "try end > code size."
//E_HND_GTEQ_END "handler start >= handler end."
//E_HNDEND_GT_CS "handler end > code size."
//E_TRY_START "Try starts in the middle of an instruction."
//E_HND_START "Handler starts in the middle of an instruction."
//E_TRY_OVERLAP "Try block overlap with another block."
Expand All @@ -44,7 +42,7 @@ public enum VerifierError
//E_FIL_CONT_TRY "Filter contains try."
//E_FIL_CONT_HND "Filter contains handler."
//E_FIL_CONT_FIL "Nested filters."
//E_FIL_GTEQ_CS "filter >= code size."
EHClauseOutOfRange, // Exception handling clause bounds outside code size.
FallthroughException, // Fallthrough the end of an exception block.
FallthroughIntoHandler, // Fallthrough into an exception handler.
FallthroughIntoFilter, // Fallthrough into an exception filter.
Expand Down
5 changes: 5 additions & 0 deletions src/coreclr/tools/aot/ILCompiler.Compiler/IL/ILImporter.Scanner.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1611,6 +1611,11 @@ private static void ReportInvalidInstruction(ILOpcode opcode)
ThrowHelper.ThrowInvalidProgramException();
}

private static void ReportInvalidExceptionRegion()
{
ThrowHelper.ThrowInvalidProgramException();
}

private static bool IsTypeGetTypeFromHandle(MethodDesc method)
{
if (method.IsIntrinsic && method.Name.SequenceEqual("GetTypeFromHandle"u8))
Expand Down
Loading