Merge branch 'sverk/bin2term-bitstr-bugs/OTP-11479' into maint

* sverk/bin2term-bitstr-bugs/OTP-11479:
  erts: Fix bug in binary_to_term for binaries larger than 2^31
  erts: Fix bugs in binary_to_term for invalid bitstrings

2 files changed, 8 insertions, 6 deletions

diff --git a/erts/emulator/beam/erl_binary.h b/erts/emulator/beam/erl_binary.h
index f7dc20f5e6..819b19e566 100644
--- a/erts/emulator/beam/erl_binary.h
+++ b/erts/emulator/beam/erl_binary.h
@@ -225,7 +225,7 @@ erts_free_aligned_binary_bytes(byte* buf)
 ** These extra bytes where earlier (< R13B04) added by an alignment-bug
 ** in this code. Do we dare remove this in some major release (R14?) maybe?
 */
-#ifdef DEBUG
+#if defined(DEBUG) || defined(VALGRIND)
 #  define CHICKEN_PAD 0
 #else
 #  define CHICKEN_PAD (sizeof(void*) - 1)
diff --git a/erts/emulator/beam/external.c b/erts/emulator/beam/external.c
index 1c88765381..22b0a02937 100644
--- a/erts/emulator/beam/external.c
+++ b/erts/emulator/beam/external.c
@@ -2970,7 +2970,7 @@ dec_term_atom_common:
 		n = get_int32(ep);
 		ep += 4;
 	    
-		if (n <= ERL_ONHEAP_BIN_LIMIT) {
+		if ((unsigned)n <= ERL_ONHEAP_BIN_LIMIT) {
 		    ErlHeapBin* hb = (ErlHeapBin *) hp;
 
 		    hb->thing_word = header_heap_bin(n);
@@ -3007,8 +3007,10 @@ dec_term_atom_common:
 
 		n = get_int32(ep);
 		bitsize = ep[4];
-		ep += 5;
-		if (n <= ERL_ONHEAP_BIN_LIMIT) {
+                if (((bitsize==0) != (n==0)) || bitsize > 8)
+                    goto error;
+                ep += 5;
+		if ((unsigned)n <= ERL_ONHEAP_BIN_LIMIT) {
 		    ErlHeapBin* hb = (ErlHeapBin *) hp;
 
 		    hb->thing_word = header_heap_bin(n);
@@ -3035,10 +3037,10 @@ dec_term_atom_common:
 		    hp += PROC_BIN_SIZE;
 		}
 		ep += n;
-		if (bitsize == 0) {
+		if (bitsize == 8 || n == 0) {
 		    *objp = bin;
 		} else {
-		    sb = (ErlSubBin *) hp;
+                    sb = (ErlSubBin *)hp;
 		    sb->thing_word = HEADER_SUB_BIN;
 		    sb->orig = bin;
 		    sb->size = n - 1;