Message ID | CY4PR22MB0102A3B51BC7B4CD5884C589E7850@CY4PR22MB0102.namprd22.prod.outlook.com |
---|---|
State | New |
Headers | show |
Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:18 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > The number of elements were being taken as valid and for each one a separator > was appended to the output, resulting in a huge memory bloat before crashing > later on due to a signed integer overflow. > > * d-demangle.c (dlang_parse_structlit): Correctly handle error result. > * testsuite/d-demangle-expected: Add testcase. > THanks. I've installed this on the trunk. jeff
From 4911e6f481472b732277cc9b2136b0846474bb4a Mon Sep 17 00:00:00 2001 From: bobsayshilol <bobsayshilol@live.co.uk> Date: Wed, 9 Jan 2019 22:37:41 +0000 Subject: [PATCH 07/10] libiberty: Correctly handle error result in dlang_parse_structlit(). The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_structlit): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 303d2ee..5590417 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -1246,6 +1246,9 @@ dlang_parse_structlit (string *decl, const char *mangled, const char *name) while (args--) { mangled = dlang_value (decl, mangled, NULL, '\0'); + if (mangled == NULL) + return NULL; + if (args != 0) string_append (decl, ", "); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 19665f5..0a5f9da 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1314,3 +1314,7 @@ _D8__T2fnVa8888888888888_ --format=dlang _D5__T2fnVmA1A1A911111111D _D5__T2fnVmA1A1A911111111D +# Could crash +--format=dlang +_D7__T2fnVlS8S588888888888S6S5 +_D7__T2fnVlS8S588888888888S6S5 -- 2.20.1