[llvm-bugs] [Bug 182757] Null pointer dereference in AArch64AsmParser::tryParseAdjImm0_63 via unchecked dyn_cast

LLVM Bugs via llvm-bugs Sun, 22 Feb 2026 09:52:28 -0800

Issue	182757
Summary	Null pointer dereference in AArch64AsmParser::tryParseAdjImm0_63 via unchecked dyn_cast
Labels	backend:AArch64, crash-on-invalid
Assignees
Reporter	yijan4845

    Compiler explorer: [https://godbolt.org/z/9o6sqo8rW](https://godbolt.org/z/9o6sqo8rW)


## Vulnerable code location(s)

`llvm/lib/Target/AArch64/AsmParser/AArch64AsmParser.cpp`, [line 8937](https://github.com/llvm/llvm-project/blob/d3081aafc47eccba242ffc3cc43ecfcb545a51bb/llvm/lib/Target/AArch64/AsmParser/AArch64AsmParser.cpp#L8937)

## Vulnerable code analysis

`tryParseAdjImm0_63` checks that the current token is `AsmToken::Integer`, then calls `parseExpression(Ex)`. The result is cast via `dyn_cast<MCConstantExpr>(Ex)->getValue()` without a null check.

Although the first token is an integer, `parseExpression` can consume additional tokens and return a non-`MCConstantExpr`. For example, input `1f` is parsed as a forward directional label reference (`MCSymbolRefExpr`), and `1 + sym` produces an `MCBinaryExpr`. In either case, `dyn_cast` returns `nullptr`, which is immediately dereferenced.

```cpp
int64_t Imm = dyn_cast<MCConstantExpr>(Ex)->getValue(); // nullptr dereference
```

The POC uses the `cbge` instruction (which invokes `tryParseAdjImm0_63`) with operand `1f`, causing `parseExpression` to return an `MCSymbolRefExpr` and triggering the crash.

## PoC

```cpp
cbge w0, 1f, .target
```

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 182757] Null pointer dereference in AArch64AsmParser::tryParseAdjImm0_63 via unchecked dyn_cast

Reply via email to