From patchwork Wed Apr 26 22:02:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Wakely X-Patchwork-Id: 755661 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wCvG23qz7z9s80 for ; Thu, 27 Apr 2017 08:02:49 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="V/RKhL9m"; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:date :from:to:cc:subject:message-id:mime-version:content-type; q=dns; s=default; b=c7oFsYkIx23muzgV7UwUjctNUbxblHrBVaLUZk0vGkDEy13cKL QgXhgNyW5PpKV2aJyeHODXHmZVvMu7J2RWE2yDArqh7Mrlnlk27n/YBovV1dlp+M lqTMLCDIboPMTAyL/Gm8KmytzxyYzjNTEN8K4Dm3K9WH9gKlDMue6po/8= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:date :from:to:cc:subject:message-id:mime-version:content-type; s= default; bh=2gc22T/RQ/91W38H0TfDKaDwAig=; b=V/RKhL9mxO293l5BbZqX hGS3nUNfGIYhCJUy/qhYBXysbOK+PIlQg445422wYVObnGGJCvLsq9ojnPQXx9So bpKEaYXemjNHEEK+pX58JGcykFoP4fhXlQ8YWTQ1Km/JED5rP9ipkqS7c2jiaOtt OD6vNgrTRFHY0OLDpYaSz9w= Received: (qmail 29257 invoked by alias); 26 Apr 2017 22:02:40 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 29244 invoked by uid 89); 26 Apr 2017 22:02:39 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RP_MATCHES_RCVD, SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=52021 X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 26 Apr 2017 22:02:38 +0000 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0315AC054905; Wed, 26 Apr 2017 22:02:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0315AC054905 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jwakely@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 0315AC054905 Received: from localhost (unknown [10.33.36.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id A2A0C785C0; Wed, 26 Apr 2017 22:02:38 +0000 (UTC) Date: Wed, 26 Apr 2017 23:02:37 +0100 From: Jonathan Wakely To: gcc-patches@gcc.gnu.org Cc: Jason Merrill , Ian Lance Taylor Subject: [PATCH] PR demangler/80513 check for overflows and invalid characters in thunks Message-ID: <20170426220237.GK5109@redhat.com> MIME-Version: 1.0 Content-Disposition: inline X-Clacks-Overhead: GNU Terry Pratchett User-Agent: Mutt/1.8.0 (2017-02-23) This ensures we notice if a number in a mangled name overflows an int. The check in consume_count can be optimized away, and there was no check in d_number. It also adds a check that the next character after __thunk_ is an underscore, rather than just skipping over it. OK for trunk? PR demangler/80513 * cp-demangle.c (d_number): Check for overflow. * cplus-dem.c (consume_count): Fix overflow check. (gnu_special): Check for underscore after thunk delta. * testsuite/demangle-expected: Add tests for overflows and invalid characters in thunks. commit 48c4e6098f7ea373615d46befba903a0a1b75230 Author: Jonathan Wakely Date: Wed Apr 26 20:20:24 2017 +0100 PR demangler/80513 check for overflows and invalid characters in thunks PR demangler/80513 * cp-demangle.c (d_number): Check for overflow. * cplus-dem.c (consume_count): Fix overflow check. (gnu_special): Check for underscore after thunk delta. * testsuite/demangle-expected: Add tests for overflows and invalid characters in thunks. diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c index e1db900..7b8d0b4 100644 --- a/libiberty/cp-demangle.c +++ b/libiberty/cp-demangle.c @@ -1692,6 +1692,8 @@ d_number (struct d_info *di) ret = - ret; return ret; } + if (ret > ((INT_MAX - (peek - '0')) / 10)) + return -1; ret = ret * 10 + peek - '0'; d_advance (di, 1); peek = d_peek_char (di); diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c index a990e07..81c17a3 100644 --- a/libiberty/cplus-dem.c +++ b/libiberty/cplus-dem.c @@ -520,21 +520,17 @@ consume_count (const char **type) while (ISDIGIT ((unsigned char)**type)) { - count *= 10; - - /* Check for overflow. - We assume that count is represented using two's-complement; - no power of two is divisible by ten, so if an overflow occurs - when multiplying by ten, the result will not be a multiple of - ten. */ - if ((count % 10) != 0) + const int digit = **type - '0'; + /* Check for overflow. */ + if (count > ((INT_MAX - digit) / 10)) { while (ISDIGIT ((unsigned char) **type)) (*type)++; return -1; } - count += **type - '0'; + count *= 10; + count += digit; (*type)++; } @@ -3173,6 +3169,8 @@ gnu_special (struct work_stuff *work, const char **mangled, string *declp) delta = consume_count (mangled); if (delta == -1) success = 0; + else if (**mangled != '_') + success = 0; else { char *method = internal_cplus_demangle (work, ++*mangled); diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index 45c5722..f2a12b9 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -4720,3 +4720,18 @@ _ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd _Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo _Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo + +# +# demangler/80513 Test for overflow in d_number +_Z4294967297x +_Z4294967297x + +# +# demangler/80513 Test for bogus characters after __thunk_ +__thunk_16a_$_1x +__thunk_16a_$_1x + +# +# demangler/80513 Test for overflow in consume_count +__thunk_4294967297__$_1x +__thunk_4294967297__$_1x