diff mbox series

[08/10] libiberty: Correctly handle error result in dlang_parse_tuple()

Message ID CY4PR22MB0102C99441E5EE842E81C7F6E7850@CY4PR22MB0102.namprd22.prod.outlook.com
State New
Headers show
Series [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand

Commit Message

Ben L Jan. 11, 2019, 12:18 a.m. UTC 
Hi all,

First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
there's obvious errors repeated in my patches. AFAICT I should be sending each
change individually rather than as one bulk patch, so I'm sorry about the spam
too.

All of these changes were found by fuzzing libiberty's demanglers over the
past week, and I have at least one more that it's currently crashing out on
but I haven't had time to look into why yet.

Obviously since this is my first time emailing I don't have write access to
commit any of these, so if any are approved then I'd be grateful if you can
commit them too.

Thanks,
Ben

--

The number of elements were being taken as valid and for each one a separator
was appended to the output, resulting in a huge memory bloat before crashing
later on due to a signed integer overflow.

     * d-demangle.c (dlang_parse_tuple): Correctly handle error result.
     * testsuite/d-demangle-expected: Add testcase.

Comments

Jeff Law April 30, 2019, 2:38 p.m. UTC | #1 
On 1/10/19 5:18 PM, Ben L wrote:
> Hi all,
> 
> First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
> there's obvious errors repeated in my patches. AFAICT I should be sending each
> change individually rather than as one bulk patch, so I'm sorry about the spam
> too.
> 
> All of these changes were found by fuzzing libiberty's demanglers over the
> past week, and I have at least one more that it's currently crashing out on
> but I haven't had time to look into why yet.
> 
> Obviously since this is my first time emailing I don't have write access to
> commit any of these, so if any are approved then I'd be grateful if you can
> commit them too.
> 
> Thanks,
> Ben
> 
> --
> 
> The number of elements were being taken as valid and for each one a separator
> was appended to the output, resulting in a huge memory bloat before crashing
> later on due to a signed integer overflow.
> 
>      * d-demangle.c (dlang_parse_tuple): Correctly handle error result.
>      * testsuite/d-demangle-expected: Add testcase.
> 
Thanks.  I've installed this on the trunk.
jeff
diff mbox series

Patch

From 7491ea105fd8d1d7887884594d30486ecf2cac08 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 9 Jan 2019 22:40:48 +0000
Subject: [PATCH 08/10] libiberty: Correctly handle error result in
 dlang_parse_tuple().

The number of elements were being taken as valid and for each one a separator
was appended to the output, resulting in a huge memory bloat before crashing
later on due to a signed integer overflow.

    * d-demangle.c (dlang_parse_tuple): Correctly handle error result.
    * testsuite/d-demangle-expected: Add testcase.

diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
index 5590417..e98118e 100644
--- a/libiberty/d-demangle.c
+++ b/libiberty/d-demangle.c
@@ -1503,6 +1503,9 @@  dlang_parse_tuple (string *decl, const char *mangled)
   while (elements--)
     {
       mangled = dlang_type (decl, mangled);
+      if (mangled == NULL)
+	return NULL;
+
       if (elements != 0)
 	string_append (decl, ", ");
     }
diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected
index 0a5f9da..44a8d3b 100644
--- a/libiberty/testsuite/d-demangle-expected
+++ b/libiberty/testsuite/d-demangle-expected
@@ -1318,3 +1318,7 @@  _D5__T2fnVmA1A1A911111111D
 --format=dlang
 _D7__T2fnVlS8S588888888888S6S5
 _D7__T2fnVlS8S588888888888S6S5
+# Could crash
+--format=dlang
+_D1_B699999999961*
+_D1_B699999999961*
-- 
2.20.1