Message ID | CY4PR22MB01026887C9C21D1CB090BBE9E7850@CY4PR22MB0102.namprd22.prod.outlook.com |
---|---|
State | New |
Headers | show |
Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:14 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes > a crash due to d_right (dc) returning NULL inside d_encoding(). > > Check for this case and handle it as an error rather than crashing when trying > to dereference the right side's type. > > * cp-demangle.c (d_encoding): Guard against NULL return values from > d_right (dc). > * testsuite/demangle-expected: Add testcase. > THanks. I've installed this on the trunk. Jeff
From 5102da933a72628e34b68402168e571b09c54581 Mon Sep 17 00:00:00 2001 From: bobsayshilol <bobsayshilol@live.co.uk> Date: Wed, 9 Jan 2019 22:05:16 +0000 Subject: [PATCH 02/10] libiberty: Fix a crash in d_encoding(). Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes a crash due to d_right (dc) returning NULL inside d_encoding(). Check for this case and handle it as an error rather than crashing when trying to dereference the right side's type. * cp-demangle.c (d_encoding): Guard against NULL return values from d_right (dc). * testsuite/demangle-expected: Add testcase. diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c index dddd8f6..02b5f9e 100644 --- a/libiberty/cp-demangle.c +++ b/libiberty/cp-demangle.c @@ -1330,8 +1330,14 @@ d_encoding (struct d_info *di, int top_level) really apply here; this happens when parsing a class which is local to a function. */ if (dc->type == DEMANGLE_COMPONENT_LOCAL_NAME) - while (is_fnqual_component_type (d_right (dc)->type)) - d_right (dc) = d_left (d_right (dc)); + { + while (d_right (dc) != NULL + && is_fnqual_component_type (d_right (dc)->type)) + d_right (dc) = d_left (d_right (dc)); + + if (d_right (dc) == NULL) + dc = NULL; + } } else { diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index 328d51a..eb5264d 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -72,6 +72,11 @@ _Q8ccQ4M2e. _ZmmAtl _ZmmAtl +# Could crash +--no-params +_ZZaSFvOEES_ +_ZZaSFvOEES_ +_ZZaSFvOEES_ # # demangler/80513 Test for bogus characters after __thunk_ -- 2.20.1