Message ID | CY4PR22MB0102A7DB0F159155427CC10FE7850@CY4PR22MB0102.namprd22.prod.outlook.com |
---|---|
State | New |
Headers | show |
Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:17 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > The number of elements were being taken as valid and for each one a separator > was appended to the output, resulting in a huge memory bloat before crashing > later on due to a signed integer overflow. > > * d-demangle.c (dlang_parse_arrayliteral): Correctly handle error result. > * testsuite/d-demangle-expected: Add testcase. > Thanks. Installed on the trunk. jeff
From 8eca61f41b70891f4e2c456c4a12c06d3b4f3a3f Mon Sep 17 00:00:00 2001 From: bobsayshilol <bobsayshilol@live.co.uk> Date: Wed, 9 Jan 2019 22:33:27 +0000 Subject: [PATCH 06/10] libiberty: Correctly handle error result in dlang_parse_arrayliteral(). The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_arrayliteral): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 114d9e0..303d2ee 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -1191,6 +1191,9 @@ dlang_parse_arrayliteral (string *decl, const char *mangled) while (elements--) { mangled = dlang_value (decl, mangled, NULL, '\0'); + if (mangled == NULL) + return NULL; + if (elements != 0) string_append (decl, ", "); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 9988238..19665f5 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1310,3 +1310,7 @@ core.demangle.mangle!(void*() function).mangle(const(char)[], char[]).DotSplitte --format=dlang _D8__T2fnVa8888888888888_ _D8__T2fnVa8888888888888_ +# Could crash +--format=dlang +_D5__T2fnVmA1A1A911111111D +_D5__T2fnVmA1A1A911111111D -- 2.20.1