| Message ID | CY4PR22MB01026887C9C21D1CB090BBE9E7850@CY4PR22MB0102.namprd22.prod.outlook.com |
|---|---|
| State | New |
| Headers | show |
| Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:14 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes > a crash due to d_right (dc) returning NULL inside d_encoding(). > > Check for this case and handle it as an error rather than crashing when trying > to dereference the right side's type. > > * cp-demangle.c (d_encoding): Guard against NULL return values from > d_right (dc). > * testsuite/demangle-expected: Add testcase. > THanks. I've installed this on the trunk. Jeff
From 5102da933a72628e34b68402168e571b09c54581 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 9 Jan 2019 22:05:16 +0000
Subject: [PATCH 02/10] libiberty: Fix a crash in d_encoding().
Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes
a crash due to d_right (dc) returning NULL inside d_encoding().
Check for this case and handle it as an error rather than crashing when trying
to dereference the right side's type.
* cp-demangle.c (d_encoding): Guard against NULL return values from
d_right (dc).
* testsuite/demangle-expected: Add testcase.
diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index dddd8f6..02b5f9e 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -1330,8 +1330,14 @@ d_encoding (struct d_info *di, int top_level)
really apply here; this happens when parsing a class
which is local to a function. */
if (dc->type == DEMANGLE_COMPONENT_LOCAL_NAME)
- while (is_fnqual_component_type (d_right (dc)->type))
- d_right (dc) = d_left (d_right (dc));
+ {
+ while (d_right (dc) != NULL
+ && is_fnqual_component_type (d_right (dc)->type))
+ d_right (dc) = d_left (d_right (dc));
+
+ if (d_right (dc) == NULL)
+ dc = NULL;
+ }
}
else
{
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index 328d51a..eb5264d 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -72,6 +72,11 @@ _Q8ccQ4M2e.
_ZmmAtl
_ZmmAtl
+# Could crash
+--no-params
+_ZZaSFvOEES_
+_ZZaSFvOEES_
+_ZZaSFvOEES_
#
# demangler/80513 Test for bogus characters after __thunk_
--
2.20.1
Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben -- Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes a crash due to d_right (dc) returning NULL inside d_encoding(). Check for this case and handle it as an error rather than crashing when trying to dereference the right side's type. * cp-demangle.c (d_encoding): Guard against NULL return values from d_right (dc). * testsuite/demangle-expected: Add testcase.