Message ID | CY4PR22MB0102DFA97742757F1FCA2407E7850@CY4PR22MB0102.namprd22.prod.outlook.com |
---|---|
State | New |
Headers | show |
Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:17 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > A char array of size 10 was created on the stack to hold the decimal > representation of a long, which on my platform is 64 bits and hence has a > maximum value of 9223372036854775807, far exceeding 10 characters. > > Fix this by bumping the size of the array to 20 characters. > > * d-demangle.c (dlang_parse_integer): Fix stack underflow. > * testsuite/d-demangle-expected: Add testcase. > THanks. I've installed this on the trunk. jeff
From 56a6202c87543dbf0a15d99e4dcb01507bf70f57 Mon Sep 17 00:00:00 2001 From: bobsayshilol <bobsayshilol@live.co.uk> Date: Wed, 9 Jan 2019 22:24:19 +0000 Subject: [PATCH 05/10] libiberty: Fix stack underflow in dlang_parse_integer(). A char array of size 10 was created on the stack to hold the decimal representation of a long, which on my platform is 64 bits and hence has a maximum value of 9223372036854775807, far exceeding 10 characters. Fix this by bumping the size of the array to 20 characters. * d-demangle.c (dlang_parse_integer): Fix stack underflow. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 8acbf04..114d9e0 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -939,8 +939,8 @@ dlang_parse_integer (string *decl, const char *mangled, char type) if (type == 'a' || type == 'u' || type == 'w') { /* Parse character value. */ - char value[10]; - int pos = 10; + char value[20]; + int pos = sizeof(value); int width = 0; long val; @@ -991,7 +991,7 @@ dlang_parse_integer (string *decl, const char *mangled, char type) for (; width > 0; width--) value[--pos] = '0'; - string_appendn (decl, &(value[pos]), 10 - pos); + string_appendn (decl, &(value[pos]), sizeof(value) - pos); } string_append (decl, "'"); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 547a2dd..9988238 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1306,3 +1306,7 @@ rt.lifetime._d_newarrayOpT!(_d_newarrayiT)._d_newarrayOpT(const(TypeInfo), ulong --format=dlang _D4core8demangle16__T6mangleTFZPvZ6mangleFNaNbNfAxaAaZ11DotSplitter5emptyMxFNaNbNdNiNfZb core.demangle.mangle!(void*() function).mangle(const(char)[], char[]).DotSplitter.empty() const +# Could crash +--format=dlang +_D8__T2fnVa8888888888888_ +_D8__T2fnVa8888888888888_ -- 2.20.1