Message ID | CY4PR22MB0102C99441E5EE842E81C7F6E7850@CY4PR22MB0102.namprd22.prod.outlook.com |
---|---|
State | New |
Headers | show |
Series | [01/10] libiberty: Fix an out of bounds read in d_expression_1() | expand |
On 1/10/19 5:18 PM, Ben L wrote: > Hi all, > > First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if > there's obvious errors repeated in my patches. AFAICT I should be sending each > change individually rather than as one bulk patch, so I'm sorry about the spam > too. > > All of these changes were found by fuzzing libiberty's demanglers over the > past week, and I have at least one more that it's currently crashing out on > but I haven't had time to look into why yet. > > Obviously since this is my first time emailing I don't have write access to > commit any of these, so if any are approved then I'd be grateful if you can > commit them too. > > Thanks, > Ben > > -- > > The number of elements were being taken as valid and for each one a separator > was appended to the output, resulting in a huge memory bloat before crashing > later on due to a signed integer overflow. > > * d-demangle.c (dlang_parse_tuple): Correctly handle error result. > * testsuite/d-demangle-expected: Add testcase. > Thanks. I've installed this on the trunk. jeff
From 7491ea105fd8d1d7887884594d30486ecf2cac08 Mon Sep 17 00:00:00 2001 From: bobsayshilol <bobsayshilol@live.co.uk> Date: Wed, 9 Jan 2019 22:40:48 +0000 Subject: [PATCH 08/10] libiberty: Correctly handle error result in dlang_parse_tuple(). The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_tuple): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 5590417..e98118e 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -1503,6 +1503,9 @@ dlang_parse_tuple (string *decl, const char *mangled) while (elements--) { mangled = dlang_type (decl, mangled); + if (mangled == NULL) + return NULL; + if (elements != 0) string_append (decl, ", "); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 0a5f9da..44a8d3b 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1318,3 +1318,7 @@ _D5__T2fnVmA1A1A911111111D --format=dlang _D7__T2fnVlS8S588888888888S6S5 _D7__T2fnVlS8S588888888888S6S5 +# Could crash +--format=dlang +_D1_B699999999961* +_D1_B699999999961* -- 2.20.1