Message ID | CY4PR22MB0102E2AC3D9EF674099A64E1E7850@CY4PR22MB0102.namprd22.prod.outlook.com |
---|---|
State | New |
Headers | show |
Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:19 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > The number of elements were being taken as valid and for each one a separator > was appended to the output, resulting in a huge memory bloat before crashing > later on due to a signed integer overflow. > > * d-demangle.c (dlang_parse_assocarray): Correctly handle error result. > * testsuite/d-demangle-expected: Add testcase. > Thanks. I've installed this on the trunk. jeff
From f3dd4107d4bd59b7f3370b17b25c9fd35d499ea3 Mon Sep 17 00:00:00 2001 From: bobsayshilol <bobsayshilol@live.co.uk> Date: Wed, 9 Jan 2019 22:46:30 +0000 Subject: [PATCH 09/10] libiberty: Correctly handle error result in dlang_parse_assocarray(). The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_assocarray): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index e98118e..becc402 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -1217,8 +1217,13 @@ dlang_parse_assocarray (string *decl, const char *mangled) while (elements--) { mangled = dlang_value (decl, mangled, NULL, '\0'); + if (mangled == NULL) + return NULL; + string_append (decl, ":"); mangled = dlang_value (decl, mangled, NULL, '\0'); + if (mangled == NULL) + return NULL; if (elements != 0) string_append (decl, ", "); diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 44a8d3b..490d4e1 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1322,3 +1322,7 @@ _D7__T2fnVlS8S588888888888S6S5 --format=dlang _D1_B699999999961* _D1_B699999999961* +# Could crash +--format=dlang +_D5__T1fVHacA6666666666_ +_D5__T1fVHacA6666666666_ -- 2.20.1