| Message ID | CY4PR22MB0102DFA97742757F1FCA2407E7850@CY4PR22MB0102.namprd22.prod.outlook.com |
|---|---|
| State | New |
| Headers | show |
| Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:17 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > A char array of size 10 was created on the stack to hold the decimal > representation of a long, which on my platform is 64 bits and hence has a > maximum value of 9223372036854775807, far exceeding 10 characters. > > Fix this by bumping the size of the array to 20 characters. > > * d-demangle.c (dlang_parse_integer): Fix stack underflow. > * testsuite/d-demangle-expected: Add testcase. > THanks. I've installed this on the trunk. jeff
From 56a6202c87543dbf0a15d99e4dcb01507bf70f57 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 9 Jan 2019 22:24:19 +0000
Subject: [PATCH 05/10] libiberty: Fix stack underflow in
dlang_parse_integer().
A char array of size 10 was created on the stack to hold the decimal
representation of a long, which on my platform is 64 bits and hence has a
maximum value of 9223372036854775807, far exceeding 10 characters.
Fix this by bumping the size of the array to 20 characters.
* d-demangle.c (dlang_parse_integer): Fix stack underflow.
* testsuite/d-demangle-expected: Add testcase.
diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
index 8acbf04..114d9e0 100644
--- a/libiberty/d-demangle.c
+++ b/libiberty/d-demangle.c
@@ -939,8 +939,8 @@ dlang_parse_integer (string *decl, const char *mangled, char type)
if (type == 'a' || type == 'u' || type == 'w')
{
/* Parse character value. */
- char value[10];
- int pos = 10;
+ char value[20];
+ int pos = sizeof(value);
int width = 0;
long val;
@@ -991,7 +991,7 @@ dlang_parse_integer (string *decl, const char *mangled, char type)
for (; width > 0; width--)
value[--pos] = '0';
- string_appendn (decl, &(value[pos]), 10 - pos);
+ string_appendn (decl, &(value[pos]), sizeof(value) - pos);
}
string_append (decl, "'");
}
diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected
index 547a2dd..9988238 100644
--- a/libiberty/testsuite/d-demangle-expected
+++ b/libiberty/testsuite/d-demangle-expected
@@ -1306,3 +1306,7 @@ rt.lifetime._d_newarrayOpT!(_d_newarrayiT)._d_newarrayOpT(const(TypeInfo), ulong
--format=dlang
_D4core8demangle16__T6mangleTFZPvZ6mangleFNaNbNfAxaAaZ11DotSplitter5emptyMxFNaNbNdNiNfZb
core.demangle.mangle!(void*() function).mangle(const(char)[], char[]).DotSplitter.empty() const
+# Could crash
+--format=dlang
+_D8__T2fnVa8888888888888_
+_D8__T2fnVa8888888888888_
--
2.20.1
Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben -- A char array of size 10 was created on the stack to hold the decimal representation of a long, which on my platform is 64 bits and hence has a maximum value of 9223372036854775807, far exceeding 10 characters. Fix this by bumping the size of the array to 20 characters. * d-demangle.c (dlang_parse_integer): Fix stack underflow. * testsuite/d-demangle-expected: Add testcase.