Message ID | 23D17F58-63E3-4205-A7BC-81D0C15CCC4E@gmail.com |
---|---|
State | New |
Headers | show |
Hi: Pending review. Best - Marcel > On 3 May 2016, at 10:40 PM, Marcel Böhme <boehme.marcel@gmail.com> wrote: > > Hi, > > This fixes four access violations (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926). > > Two of these first read the value of a length variable len from the mangled string, then strncpy len characters from the mangled string; more than necessary. > The other two read the value of an array index n from the mangled string, which can be negative due to an overflow. > > Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test cases added to libiberty/testsuite/demangler-expected and checked PR70926 is resolved. > > Best regards, > - Marcel > > Index: libiberty/ChangeLog > =================================================================== > --- libiberty/ChangeLog (revision 235801) > +++ libiberty/ChangeLog (working copy) > @@ -1,3 +1,12 @@ > +2016-05-03 Marcel Böhme <boehme.marcel@gmail.com> > + > + PR c++/70926 > + * cplus-dem.c: Handle large values and overflow when demangling > + length variables. > + (demangle_template_value_parm): Read only until end of mangled string. > + (do_hpacc_template_literal): Likewise. > + (do_type): Handle overflow when demangling array indices. > + > 2016-05-02 Marcel Böhme <boehme.marcel@gmail.com> > > PR c++/70498 > Index: libiberty/cplus-dem.c > =================================================================== > --- libiberty/cplus-dem.c (revision 235801) > +++ libiberty/cplus-dem.c (working copy) > @@ -2051,7 +2051,8 @@ demangle_template_value_parm (struct work_stuff *w > else > { > int symbol_len = consume_count (mangled); > - if (symbol_len == -1) > + if (symbol_len == -1 > + || symbol_len > (long) strlen (*mangled)) > return -1; > if (symbol_len == 0) > string_appendn (s, "0", 1); > @@ -3611,7 +3612,7 @@ do_type (struct work_stuff *work, const char **man > /* A back reference to a previously seen type */ > case 'T': > (*mangled)++; > - if (!get_count (mangled, &n) || n >= work -> ntypes) > + if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes) > { > success = 0; > } > @@ -3789,7 +3790,7 @@ do_type (struct work_stuff *work, const char **man > /* A back reference to a previously seen squangled type */ > case 'B': > (*mangled)++; > - if (!get_count (mangled, &n) || n >= work -> numb) > + if (!get_count (mangled, &n) || n < 0 || n >= work -> numb) > success = 0; > else > string_append (result, work->btypevec[n]); > @@ -4130,7 +4131,8 @@ do_hpacc_template_literal (struct work_stuff *work > > literal_len = consume_count (mangled); > > - if (literal_len <= 0) > + if (literal_len <= 0 > + || literal_len > (long) strlen (*mangled)) > return 0; > > /* Literal parameters are names of arrays, functions, etc. and the > Index: libiberty/testsuite/demangle-expected > =================================================================== > --- libiberty/testsuite/demangle-expected (revision 235801) > +++ libiberty/testsuite/demangle-expected (working copy) > @@ -4441,3 +4441,16 @@ __vt_90000000000cafebabe > > _Z80800000000000000000000 > _Z80800000000000000000000 > +# > +# Tests write access violation PR70926 > + > +0__Ot2m02R5T0000500000 > +0__Ot2m02R5T0000500000 > +# > + > +0__GT50000000000_ > +0__GT50000000000_ > +# > + > +__t2m05B500000000000000000_ > +__t2m05B500000000000000000_ >
On 05/26/2016 01:02 AM, Marcel Böhme wrote: > Hi: Pending review. > > Best - Marcel > >> On 3 May 2016, at 10:40 PM, Marcel Böhme <boehme.marcel@gmail.com> wrote: >> >> Hi, >> >> This fixes four access violations (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926). >> >> Two of these first read the value of a length variable len from the mangled string, then strncpy len characters from the mangled string; more than necessary. >> The other two read the value of an array index n from the mangled string, which can be negative due to an overflow. >> >> Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test cases added to libiberty/testsuite/demangler-expected and checked PR70926 is resolved. >> >> Best regards, >> - Marcel >> >> Index: libiberty/ChangeLog >> =================================================================== >> --- libiberty/ChangeLog (revision 235801) >> +++ libiberty/ChangeLog (working copy) >> @@ -1,3 +1,12 @@ >> +2016-05-03 Marcel Böhme <boehme.marcel@gmail.com> >> + >> + PR c++/70926 >> + * cplus-dem.c: Handle large values and overflow when demangling >> + length variables. >> + (demangle_template_value_parm): Read only until end of mangled string. >> + (do_hpacc_template_literal): Likewise. >> + (do_type): Handle overflow when demangling array indices. OK for the trunk. Please install. Sorry for the delays. Jeff
Hi Jeff, On 23 Jun 2016, at 4:21 AM, Jeff Law <law@redhat.com> wrote: > > OK for the trunk. Please install. > > Sorry for the delays. > > Jeff I might not have the access rights to commit to trunk. Best regards - Marcel
Index: libiberty/ChangeLog =================================================================== --- libiberty/ChangeLog (revision 235801) +++ libiberty/ChangeLog (working copy) @@ -1,3 +1,12 @@ +2016-05-03 Marcel Böhme <boehme.marcel@gmail.com> + + PR c++/70926 + * cplus-dem.c: Handle large values and overflow when demangling + length variables. + (demangle_template_value_parm): Read only until end of mangled string. + (do_hpacc_template_literal): Likewise. + (do_type): Handle overflow when demangling array indices. + 2016-05-02 Marcel Böhme <boehme.marcel@gmail.com> PR c++/70498 Index: libiberty/cplus-dem.c =================================================================== --- libiberty/cplus-dem.c (revision 235801) +++ libiberty/cplus-dem.c (working copy) @@ -2051,7 +2051,8 @@ demangle_template_value_parm (struct work_stuff *w else { int symbol_len = consume_count (mangled); - if (symbol_len == -1) + if (symbol_len == -1 + || symbol_len > (long) strlen (*mangled)) return -1; if (symbol_len == 0) string_appendn (s, "0", 1); @@ -3611,7 +3612,7 @@ do_type (struct work_stuff *work, const char **man /* A back reference to a previously seen type */ case 'T': (*mangled)++; - if (!get_count (mangled, &n) || n >= work -> ntypes) + if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes) { success = 0; } @@ -3789,7 +3790,7 @@ do_type (struct work_stuff *work, const char **man /* A back reference to a previously seen squangled type */ case 'B': (*mangled)++; - if (!get_count (mangled, &n) || n >= work -> numb) + if (!get_count (mangled, &n) || n < 0 || n >= work -> numb) success = 0; else string_append (result, work->btypevec[n]); @@ -4130,7 +4131,8 @@ do_hpacc_template_literal (struct work_stuff *work literal_len = consume_count (mangled); - if (literal_len <= 0) + if (literal_len <= 0 + || literal_len > (long) strlen (*mangled)) return 0; /* Literal parameters are names of arrays, functions, etc. and the Index: libiberty/testsuite/demangle-expected =================================================================== --- libiberty/testsuite/demangle-expected (revision 235801) +++ libiberty/testsuite/demangle-expected (working copy) @@ -4441,3 +4441,16 @@ __vt_90000000000cafebabe _Z80800000000000000000000 _Z80800000000000000000000 +# +# Tests write access violation PR70926 + +0__Ot2m02R5T0000500000 +0__Ot2m02R5T0000500000 +# + +0__GT50000000000_ +0__GT50000000000_ +# + +__t2m05B500000000000000000_ +__t2m05B500000000000000000_