[03/10] libiberty: Fix a crash in d_print_comp_inner()

Message ID	CY4PR22MB010261BCFD6E872418E2846FE7850@CY4PR22MB0102.namprd22.prod.outlook.com
State	New
Headers	show Return-Path: <gcc-patches-return-493825-incoming=patchwork.ozlabs.org@gcc.gnu.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=FIEwWXX2cBrroq+nEy9FsB6QJ+3BCW4LRGB3FvAzGkNF74WnNa5gI YU2hLhxgTUw0XU9GDobZJnFgXXjhdiMXPODWyi1ZYtqczI8mkqi7hPSPpRt2vFX8 QcU6OF45di8mBmyobPQgWsTZNu8QX0a/oWc6xE0RcL3doFp1gu3+pM= Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org From: Ben L <bobsayshilol@live.co.uk> To: "gcc-patches@gcc.gnu.org" <gcc-patches@gcc.gnu.org> Subject: [PATCH 03/10] libiberty: Fix a crash in d_print_comp_inner() Date: Fri, 11 Jan 2019 00:15:18 +0000 Message-ID: <CY4PR22MB010261BCFD6E872418E2846FE7850@CY4PR22MB0102.namprd22.prod.outlook.com> Content-Type: multipart/mixed; boundary="_002_CY4PR22MB010261BCFD6E872418E2846FE7850CY4PR22MB0102namp_" MIME-Version: 1.0
Series	[01/10] libiberty: Fix an out of bounds read in d_expression_1() \| expand [01/10] libiberty: Fix an out of bounds read in d_expression_1() [02/10] libiberty: Fix a crash in d_encoding() [03/10] libiberty: Fix a crash in d_print_comp_inner() [04/10] libiberty: Fix crash in ada_demangle() [05/10] libiberty: Fix stack underflow in dlang_parse_integer() [06/10] libiberty: Correctly handle error result in dlang_parse_arrayliteral() [07/10] libiberty: Correctly handle error result in dlang_parse_structlit() [08/10] libiberty: Correctly handle error result in dlang_parse_tuple() [09/10] libiberty: Correctly handle error result in dlang_parse_assocarray() [10/10] libiberty: Correct an invalid assumption

Message ID

CY4PR22MB010261BCFD6E872418E2846FE7850@CY4PR22MB0102.namprd22.prod.outlook.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender:from
	:to:subject:date:message-id:content-type:mime-version; q=dns; s=
	default; b=FIEwWXX2cBrroq+nEy9FsB6QJ+3BCW4LRGB3FvAzGkNF74WnNa5gI
	YU2hLhxgTUw0XU9GDobZJnFgXXjhdiMXPODWyi1ZYtqczI8mkqi7hPSPpRt2vFX8
	QcU6OF45di8mBmyobPQgWsTZNu8QX0a/oWc6xE0RcL3doFp1gu3+pM=
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
Sender: gcc-patches-owner@gcc.gnu.org
From: Ben L <bobsayshilol@live.co.uk>
To: "gcc-patches@gcc.gnu.org" <gcc-patches@gcc.gnu.org>
Subject: [PATCH 03/10] libiberty: Fix a crash in d_print_comp_inner()
Date: Fri, 11 Jan 2019 00:15:18 +0000
Message-ID: <CY4PR22MB010261BCFD6E872418E2846FE7850@CY4PR22MB0102.namprd22.prod.outlook.com>
Content-Type: multipart/mixed;
	boundary="_002_CY4PR22MB010261BCFD6E872418E2846FE7850CY4PR22MB0102namp_"
MIME-Version: 1.0

Series

[01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand

Commit Message

Ben L Jan. 11, 2019, 12:15 a.m. UTC

Hi all,

First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
there's obvious errors repeated in my patches. AFAICT I should be sending each
change individually rather than as one bulk patch, so I'm sorry about the spam
too.

All of these changes were found by fuzzing libiberty's demanglers over the
past week, and I have at least one more that it's currently crashing out on
but I haven't had time to look into why yet.

Obviously since this is my first time emailing I don't have write access to
commit any of these, so if any are approved then I'd be grateful if you can
commit them too.

Thanks,
Ben

--

'typed_name' is checked before the loop, but not checked after every
iteration. This can cause a crash if the input buffer is malformed since
'typed_name' can be assigned NULL.

To fix this, break out of the loop if we see it's NULL and handle that case
afterwards.

     * cp-demangle (d_print_comp_inner): Guard against a NULL 'typed_name'.
     * testsuite/demangle-expected: Add testcase.

Comments

Jeff Law April 30, 2019, 2:22 p.m. UTC | #1

On 1/10/19 5:15 PM, Ben L wrote:
> Hi all,
> 
> First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
> there's obvious errors repeated in my patches. AFAICT I should be sending each
> change individually rather than as one bulk patch, so I'm sorry about the spam
> too.
> 
> All of these changes were found by fuzzing libiberty's demanglers over the
> past week, and I have at least one more that it's currently crashing out on
> but I haven't had time to look into why yet.
> 
> Obviously since this is my first time emailing I don't have write access to
> commit any of these, so if any are approved then I'd be grateful if you can
> commit them too.
> 
> Thanks,
> Ben
> 
> --
> 
> 'typed_name' is checked before the loop, but not checked after every
> iteration. This can cause a crash if the input buffer is malformed since
> 'typed_name' can be assigned NULL.
> 
> To fix this, break out of the loop if we see it's NULL and handle that case
> afterwards.
> 
>      * cp-demangle (d_print_comp_inner): Guard against a NULL 'typed_name'.
>      * testsuite/demangle-expected: Add testcase.
> 
THanks.  I've installed this on the trunk.

jeff

From 3b36d9788fb9fe08ed9c83a57fb18bbfdc903543 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 9 Jan 2019 22:13:26 +0000
Subject: [PATCH 03/10] libiberty: Fix a crash in d_print_comp_inner().

'typed_name' is checked before the loop, but not checked after every
iteration. This can cause a crash if the input buffer is malformed since
'typed_name' can be assigned NULL.

To fix this, break out of the loop if we see it's NULL and handle that case
afterwards.

    * cp-demangle (d_print_comp_inner): Guard against a NULL 'typed_name'.
    * testsuite/demangle-expected: Add testcase.

diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index 02b5f9e..8ab0cd5 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -4757,12 +4757,8 @@  d_print_comp_inner (struct d_print_info *dpi, int options,
 	    typed_name = d_right (typed_name);
 	    if (typed_name->type == DEMANGLE_COMPONENT_DEFAULT_ARG)
 	      typed_name = typed_name->u.s_unary_num.sub;
-	    if (typed_name == NULL)
-	      {
-		d_print_error (dpi);
-		return;
-	      }
-	    while (is_fnqual_component_type (typed_name->type))
+	    while (typed_name != NULL
+		   && is_fnqual_component_type (typed_name->type))
 	      {
 		if (i >= sizeof adpm / sizeof adpm[0])
 		  {
@@ -4781,6 +4777,11 @@  d_print_comp_inner (struct d_print_info *dpi, int options,
 
 		typed_name = d_left (typed_name);
 	      }
+	    if (typed_name == NULL)
+	      {
+		d_print_error (dpi);
+		return;
+	      }
 	  }
 
 	/* If typed_name is a template, then it applies to the
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index eb5264d..f21ed00 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -77,6 +77,10 @@  _ZmmAtl
 _ZZaSFvOEES_
 _ZZaSFvOEES_
 _ZZaSFvOEES_
+# Could crash
+
+_ZZeqFvOEES_z
+_ZZeqFvOEES_z
 #
 # demangler/80513 Test for bogus characters after __thunk_
 
-- 
2.20.1

[03/10] libiberty: Fix a crash in d_print_comp_inner()

Commit Message

Comments

Patch