Fix ILVerify IndexOutOfRangeException for malformed exception handling clause bounds

src/coreclr/tools/Common/TypeSystem/IL/ILImporter.cs

@@ -276,9 +276,32 @@ private void FindEHTargets()
             {
                 var r = _exceptionRegions[i];
 
+                bool hasOutOfRangeBounds =
+                    (uint)r.ILRegion.TryOffset >= (uint)_basicBlocks.Length ||
+                    (uint)r.ILRegion.TryLength > (uint)_basicBlocks.Length - (uint)r.ILRegion.TryOffset;
+
+                if (r.ILRegion.Kind == ILExceptionRegionKind.Filter)
+                {
+                    hasOutOfRangeBounds |=
+                        (uint)r.ILRegion.FilterOffset >= (uint)_basicBlocks.Length ||
+                        (uint)r.ILRegion.FilterOffset >= (uint)r.ILRegion.HandlerOffset;
+                }
+
+                hasOutOfRangeBounds |=
+                    (uint)r.ILRegion.HandlerOffset >= (uint)_basicBlocks.Length ||
+                    (uint)r.ILRegion.HandlerLength > (uint)_basicBlocks.Length - (uint)r.ILRegion.HandlerOffset;
+
+                if (hasOutOfRangeBounds)
+                {
+                    ReportInvalidExceptionRegion();
+                    continue;
+                }
+
                 CreateBasicBlock(r.ILRegion.TryOffset).TryStart = true;
                 if (r.ILRegion.Kind == ILExceptionRegionKind.Filter)
+                {
                     CreateBasicBlock(r.ILRegion.FilterOffset).FilterStart = true;
+                }
                 CreateBasicBlock(r.ILRegion.HandlerOffset).HandlerStart = true;
             }
         }

src/coreclr/tools/ILVerification.Tests/ILTests/ExceptionRegionTests.il

@@ -764,4 +764,66 @@
         throw
         ret
     }
+
+    .method public hidebysig instance void TryOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
+    {
+        .maxstack 1
+
+        ret
+        // Try region starts at offset 1000 which is beyond code size (code size is 1)
+        .try 1000 to 1001 catch [System.Runtime]System.Exception handler 0 to 1
+    }
+
+    .method public hidebysig instance void HandlerOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
+    {
+        .maxstack 1
+
+        ret
+        // Handler region starts at offset 1000 which is beyond code size (code size is 1)
+        .try 0 to 1 catch [System.Runtime]System.Exception handler 1000 to 1001
+    }
+
+    .method public hidebysig instance void FilterOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
+    {
+        .maxstack 1
+
+        ldc.i4.0
+        endfilter
+        leave.s IL_0004
+        IL_0004: ret
+        // Filter region starts at offset 1000 which is beyond code size (code size is 5)
+        .try 0 to 2 filter 1000 handler 2 to 4
+    }
+
+    .method public hidebysig instance void TryEndOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
+    {
+        .maxstack 1
+
+        nop
+        ret
+        // Try region ends at offset 1000 which is beyond code size (code size is 2)
+        .try 0 to 1000 catch [System.Runtime]System.Exception handler 1 to 2
+    }
+
+    .method public hidebysig instance void HandlerEndOffset.ExceedsCodeSize_Invalid_EHClauseOutOfRange() cil managed
+    {
+        .maxstack 1
+
+        nop
+        ret
+        // Handler region ends at offset 1000 which is beyond code size (code size is 2)
+        .try 0 to 1 catch [System.Runtime]System.Exception handler 1 to 1000
+    }
+
+    .method public hidebysig instance void FilterOffset.NotBeforeHandlerOffset_Invalid_EHClauseOutOfRange() cil managed
+    {
+        .maxstack 1
+
+        ldc.i4.0
+        endfilter
+        leave.s IL_0004
+        IL_0004: ret
+        // Filter region starts at the same offset as handler region.
+        .try 0 to 2 filter 2 handler 2 to 4
+    }
 }

src/coreclr/tools/ILVerification.Tests/ILTests/ExceptionRegionTests.ilproj

@@ -1,6 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.IL">
   <PropertyGroup>
     <AssemblyName>$(MSBuildProjectName)</AssemblyName>
+    <IlasmFlags>$(IlasmFlags) -ERR</IlasmFlags>
   </PropertyGroup>
 
   <ItemGroup>

src/coreclr/tools/ILVerification/ILImporter.Verify.cs

@@ -209,6 +209,9 @@ public ILImporter(MethodDesc method, MethodIL methodIL)
 
         public void Verify()
         {
+            // Check code size before any other processing
+            FatalCheck(_ilBytes.Length > 0, VerifierError.CodeSizeZero);
+
             _instructionBoundaries = new bool[_ilBytes.Length];
 
             FindBasicBlocks();
@@ -286,8 +289,6 @@ private void FindEnclosingExceptionRegions()
         /// </summary>
         private void InitialPass()
         {
-            FatalCheck(_ilBytes.Length > 0, VerifierError.CodeSizeZero);
-
             _modifiesThisPtr = false;
             _validTargetOffsets = new bool[_ilBytes.Length];
 
@@ -2823,6 +2824,12 @@ void ReportInvalidInstruction(ILOpcode opcode)
             VerificationError(VerifierError.UnknownOpcode);
         }
 
+        void ReportInvalidExceptionRegion()
+        {
+            VerificationError(VerifierError.EHClauseOutOfRange);
+            AbortMethodVerification();
+        }
+
         //
         // Deprecated
         //

src/coreclr/tools/ILVerification/Strings.resx

@@ -297,6 +297,9 @@
   <data name="MethodFallthrough" xml:space="preserve">
     <value>Fall through end of the method without returning.</value>
   </data>
+  <data name="EHClauseOutOfRange" xml:space="preserve">
+    <value>Exception handling clause bounds outside code size.</value>
+  </data>
   <data name="NewobjAbstractClass" xml:space="preserve">
     <value>Cannot construct an instance of abstract class.</value>
   </data>

src/coreclr/tools/ILVerification/VerifierError.cs

@@ -32,9 +32,7 @@ public enum VerifierError
 
         MethodFallthrough,              // Fall through end of the method without returning.
         //E_TRY_GTEQ_END                "try start >= try end."
-        //E_TRYEND_GT_CS                "try end > code size."
         //E_HND_GTEQ_END                "handler start >= handler end."
-        //E_HNDEND_GT_CS                "handler end > code size."
         //E_TRY_START                   "Try starts in the middle of an instruction."
         //E_HND_START                   "Handler starts in the middle of an instruction."
         //E_TRY_OVERLAP                 "Try block overlap with another block."
@@ -44,7 +42,7 @@ public enum VerifierError
         //E_FIL_CONT_TRY                "Filter contains try."
         //E_FIL_CONT_HND                "Filter contains handler."
         //E_FIL_CONT_FIL                "Nested filters."
-        //E_FIL_GTEQ_CS                 "filter >= code size."
+        EHClauseOutOfRange,             // Exception handling clause bounds outside code size.
         FallthroughException,           // Fallthrough the end of an exception block.
         FallthroughIntoHandler,         // Fallthrough into an exception handler.
         FallthroughIntoFilter,          // Fallthrough into an exception filter.

src/coreclr/tools/aot/ILCompiler.Compiler/IL/ILImporter.Scanner.cs

@@ -1623,6 +1623,11 @@ private static void ReportInvalidInstruction(ILOpcode opcode)
             ThrowHelper.ThrowInvalidProgramException();
         }
 
+        private static void ReportInvalidExceptionRegion()
+        {
+            ThrowHelper.ThrowInvalidProgramException();
+        }
+
         private static bool IsTypeGetTypeFromHandle(MethodDesc method)
         {
             if (method.IsIntrinsic && method.Name.SequenceEqual("GetTypeFromHandle"u8))