| Message ID | CY4PR22MB0102E2AC3D9EF674099A64E1E7850@CY4PR22MB0102.namprd22.prod.outlook.com |
|---|---|
| State | New |
| Headers | show |
| Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:19 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > The number of elements were being taken as valid and for each one a separator > was appended to the output, resulting in a huge memory bloat before crashing > later on due to a signed integer overflow. > > * d-demangle.c (dlang_parse_assocarray): Correctly handle error result. > * testsuite/d-demangle-expected: Add testcase. > Thanks. I've installed this on the trunk. jeff
From f3dd4107d4bd59b7f3370b17b25c9fd35d499ea3 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 9 Jan 2019 22:46:30 +0000
Subject: [PATCH 09/10] libiberty: Correctly handle error result in
dlang_parse_assocarray().
The number of elements were being taken as valid and for each one a separator
was appended to the output, resulting in a huge memory bloat before crashing
later on due to a signed integer overflow.
* d-demangle.c (dlang_parse_assocarray): Correctly handle error result.
* testsuite/d-demangle-expected: Add testcase.
diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
index e98118e..becc402 100644
--- a/libiberty/d-demangle.c
+++ b/libiberty/d-demangle.c
@@ -1217,8 +1217,13 @@ dlang_parse_assocarray (string *decl, const char *mangled)
while (elements--)
{
mangled = dlang_value (decl, mangled, NULL, '\0');
+ if (mangled == NULL)
+ return NULL;
+
string_append (decl, ":");
mangled = dlang_value (decl, mangled, NULL, '\0');
+ if (mangled == NULL)
+ return NULL;
if (elements != 0)
string_append (decl, ", ");
diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected
index 44a8d3b..490d4e1 100644
--- a/libiberty/testsuite/d-demangle-expected
+++ b/libiberty/testsuite/d-demangle-expected
@@ -1322,3 +1322,7 @@ _D7__T2fnVlS8S588888888888S6S5
--format=dlang
_D1_B699999999961*
_D1_B699999999961*
+# Could crash
+--format=dlang
+_D5__T1fVHacA6666666666_
+_D5__T1fVHacA6666666666_
--
2.20.1
Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben -- The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_assocarray): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase.