From patchwork Fri Jan 11 00:13:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023278 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493822-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="ScE7jhgq"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNdF1rHbz9sLw for ; Fri, 11 Jan 2019 11:13:51 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=r4I3fZibQcYe57lbrhDPnHPK3D0203LPx8RHcxGn1wK6Tf1dWJRsc UjPErIx2Na2PQVjmZcAoscEKo2nIZLyfrnivw+RI6C3/ECrc1uEUo7au096OZgDL 96xpiXSo7WAxTTmKiWZyg+85AKN87sElyp28plQTGTLlAQ4K+JHXlw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=HkgEfHFu20xV2qcCZ/Qo/og6PvY=; b=ScE7jhgqd3dCMU1tUhcT IJREj55DuTcsA1aEkaumvQvQLHFZysgR2HxWNiBxL7rO0bZZieilpTJrOAJ6d4n9 +ViuUIKT8q9wD2xLeegEs+YhqDai5chwVZ2m18cHqEv8TTnAf4ZAvcIgsOY+UK93 j5ehXZ1PaUHw/jzV3ncubfE= Received: (qmail 23565 invoked by alias); 11 Jan 2019 00:13:42 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 23547 invoked by uid 89); 11 Jan 2019 00:13:42 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM02-BL2-obe.outbound.protection.outlook.com Received: from mail-oln040092003038.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (40.92.3.38) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:13:39 +0000 Received: from SN1NAM02FT051.eop-nam02.prod.protection.outlook.com (10.152.72.54) by SN1NAM02HT014.eop-nam02.prod.protection.outlook.com (10.152.73.0) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Fri, 11 Jan 2019 00:13:37 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.72.53) by SN1NAM02FT051.mail.protection.outlook.com (10.152.73.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 00:13:37 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:13:37 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 01/10] libiberty: Fix an out of bounds read in d_expression_1() Date: Fri, 11 Jan 2019 00:13:37 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- Passing "_ZmmAtl" to cplus_demangle() causes it to read past the end of the input buffer. This is because cplus_demangle_type() may advance the current offset so when control returns to d_expression_1() the current char may now be the last valid byte and hence we cannot peek at the next char. Fixed this by checking that the current char is still valid before checking that the next char is too. * cp-demangle.c (d_expression_1): Don't peek ahead unless the current char is valid. * testsuite/demangle-expected: Add testcase. From dadc7d7812e0c42c4a7c8c1f0525c4a11e0bd229 Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 21:50:59 +0000 Subject: [PATCH 01/10] libiberty: Fix an out of bounds read in d_expression_1(). Passing "_ZmmAtl" to cplus_demangle() causes it to read past the end of the input buffer. This is because cplus_demangle_type() may advance the current offset so when control returns to d_expression_1() the current char may now be the last valid byte and hence we cannot peek at the next char. Fixed this by checking that the current char is still valid before checking that the next char is too. * cp-demangle.c (d_expression_1): Don't peek ahead unless the current char is valid. * testsuite/demangle-expected: Add testcase. diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c index 4624cd5..dddd8f6 100644 --- a/libiberty/cp-demangle.c +++ b/libiberty/cp-demangle.c @@ -3353,7 +3353,7 @@ d_expression_1 (struct d_info *di) d_advance (di, 2); if (peek == 't') type = cplus_demangle_type (di); - if (!d_peek_next_char (di)) + if (!d_peek_char (di) || !d_peek_next_char (di)) return NULL; return d_make_comp (di, DEMANGLE_COMPONENT_INITIALIZER_LIST, type, d_exprlist (di, 'E')); diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index 3723b7a..328d51a 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -68,6 +68,10 @@ _$_H1R _Q8ccQ4M2e. _Q8ccQ4M2e. +# Could crash + +_ZmmAtl +_ZmmAtl # # demangler/80513 Test for bogus characters after __thunk_ -- 2.20.1 From patchwork Fri Jan 11 00:14:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023280 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493824-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="Ge31niSL"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNf30LPFz9sLw for ; Fri, 11 Jan 2019 11:14:34 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=K6Q/xW3TyXb2UfD521KLLcL9FLyxfJ2TIlOfDBz+E0z+cxP93/oHL PgLxAkFIsP8WNJSsbszc+77viB7b0jM0S/uBe1FpQj6Ik6zzJmW7BzMAECdJ6wUe JRVohYMAhC3cQHbMUVrbk9TnYFCoFySUACcQj0wxdcyMsQGxXs2IUc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=wwhKQxTTlvtpf1Sf8Ud3fJRu0AI=; b=Ge31niSLIOk0S0lHr8yp 9IJ5cO7lILUpRtHEBGYl4vvGl/sRJ/ipLdUcg7/uXr3sH3uIgqoW9uCI/dLpda8c DjCYy/Krkm6b6vedqji5UvNX/Kcwpp7/TpBQ64xx3+v8rt/Uc9wqJzsM+bD0raKG nMn6KQvJVanRG+KGR1kUCDE= Received: (qmail 27033 invoked by alias); 11 Jan 2019 00:14:26 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 27024 invoked by uid 89); 11 Jan 2019 00:14:26 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM02-SN1-obe.outbound.protection.outlook.com Received: from mail-oln040092005051.outbound.protection.outlook.com (HELO NAM02-SN1-obe.outbound.protection.outlook.com) (40.92.5.51) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:14:24 +0000 Received: from SN1NAM02FT051.eop-nam02.prod.protection.outlook.com (10.152.72.54) by SN1NAM02HT061.eop-nam02.prod.protection.outlook.com (10.152.73.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Fri, 11 Jan 2019 00:14:22 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.72.53) by SN1NAM02FT051.mail.protection.outlook.com (10.152.73.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 00:14:22 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:14:22 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 02/10] libiberty: Fix a crash in d_encoding() Date: Fri, 11 Jan 2019 00:14:22 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes a crash due to d_right (dc) returning NULL inside d_encoding(). Check for this case and handle it as an error rather than crashing when trying to dereference the right side's type. * cp-demangle.c (d_encoding): Guard against NULL return values from d_right (dc). * testsuite/demangle-expected: Add testcase. From 5102da933a72628e34b68402168e571b09c54581 Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:05:16 +0000 Subject: [PATCH 02/10] libiberty: Fix a crash in d_encoding(). Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes a crash due to d_right (dc) returning NULL inside d_encoding(). Check for this case and handle it as an error rather than crashing when trying to dereference the right side's type. * cp-demangle.c (d_encoding): Guard against NULL return values from d_right (dc). * testsuite/demangle-expected: Add testcase. diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c index dddd8f6..02b5f9e 100644 --- a/libiberty/cp-demangle.c +++ b/libiberty/cp-demangle.c @@ -1330,8 +1330,14 @@ d_encoding (struct d_info *di, int top_level) really apply here; this happens when parsing a class which is local to a function. */ if (dc->type == DEMANGLE_COMPONENT_LOCAL_NAME) - while (is_fnqual_component_type (d_right (dc)->type)) - d_right (dc) = d_left (d_right (dc)); + { + while (d_right (dc) != NULL + && is_fnqual_component_type (d_right (dc)->type)) + d_right (dc) = d_left (d_right (dc)); + + if (d_right (dc) == NULL) + dc = NULL; + } } else { diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index 328d51a..eb5264d 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -72,6 +72,11 @@ _Q8ccQ4M2e. _ZmmAtl _ZmmAtl +# Could crash +--no-params +_ZZaSFvOEES_ +_ZZaSFvOEES_ +_ZZaSFvOEES_ # # demangler/80513 Test for bogus characters after __thunk_ -- 2.20.1 From patchwork Fri Jan 11 00:15:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023281 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493825-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="kJfkH8cl"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNgM3ny3z9sLw for ; Fri, 11 Jan 2019 11:15:43 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=FIEwWXX2cBrroq+nEy9FsB6QJ+3BCW4LRGB3FvAzGkNF74WnNa5gI YU2hLhxgTUw0XU9GDobZJnFgXXjhdiMXPODWyi1ZYtqczI8mkqi7hPSPpRt2vFX8 QcU6OF45di8mBmyobPQgWsTZNu8QX0a/oWc6xE0RcL3doFp1gu3+pM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=dII60u9uMF4V4AkmvYfSHzXZlJQ=; b=kJfkH8clQdD8ycvIXZrD TyJSp/a64UHCDBUoxNIAeYv3SyER/FG28H7Ol5v0B1deBIPEF93mdacOEemByE7u VabWTYeVlXcoui75pzidKs0uOfOk5ciT7qVuNgEVXjN5ei3dWPhb0suhWddHamdb Pi9Qj6Fdeww9/NPkdQobZSY= Received: (qmail 29393 invoked by alias); 11 Jan 2019 00:15:36 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 29300 invoked by uid 89); 11 Jan 2019 00:15:27 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM02-CY1-obe.outbound.protection.outlook.com Received: from mail-oln040092004014.outbound.protection.outlook.com (HELO NAM02-CY1-obe.outbound.protection.outlook.com) (40.92.4.14) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:15:25 +0000 Received: from SN1NAM02FT051.eop-nam02.prod.protection.outlook.com (10.152.72.55) by SN1NAM02HT034.eop-nam02.prod.protection.outlook.com (10.152.73.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Fri, 11 Jan 2019 00:15:18 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.72.53) by SN1NAM02FT051.mail.protection.outlook.com (10.152.73.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 00:15:18 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:15:18 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 03/10] libiberty: Fix a crash in d_print_comp_inner() Date: Fri, 11 Jan 2019 00:15:18 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- 'typed_name' is checked before the loop, but not checked after every iteration. This can cause a crash if the input buffer is malformed since 'typed_name' can be assigned NULL. To fix this, break out of the loop if we see it's NULL and handle that case afterwards. * cp-demangle (d_print_comp_inner): Guard against a NULL 'typed_name'. * testsuite/demangle-expected: Add testcase. From 3b36d9788fb9fe08ed9c83a57fb18bbfdc903543 Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:13:26 +0000 Subject: [PATCH 03/10] libiberty: Fix a crash in d_print_comp_inner(). 'typed_name' is checked before the loop, but not checked after every iteration. This can cause a crash if the input buffer is malformed since 'typed_name' can be assigned NULL. To fix this, break out of the loop if we see it's NULL and handle that case afterwards. * cp-demangle (d_print_comp_inner): Guard against a NULL 'typed_name'. * testsuite/demangle-expected: Add testcase. diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c index 02b5f9e..8ab0cd5 100644 --- a/libiberty/cp-demangle.c +++ b/libiberty/cp-demangle.c @@ -4757,12 +4757,8 @@ d_print_comp_inner (struct d_print_info *dpi, int options, typed_name = d_right (typed_name); if (typed_name->type == DEMANGLE_COMPONENT_DEFAULT_ARG) typed_name = typed_name->u.s_unary_num.sub; - if (typed_name == NULL) - { - d_print_error (dpi); - return; - } - while (is_fnqual_component_type (typed_name->type)) + while (typed_name != NULL + && is_fnqual_component_type (typed_name->type)) { if (i >= sizeof adpm / sizeof adpm[0]) { @@ -4781,6 +4777,11 @@ d_print_comp_inner (struct d_print_info *dpi, int options, typed_name = d_left (typed_name); } + if (typed_name == NULL) + { + d_print_error (dpi); + return; + } } /* If typed_name is a template, then it applies to the diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index eb5264d..f21ed00 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -77,6 +77,10 @@ _ZmmAtl _ZZaSFvOEES_ _ZZaSFvOEES_ _ZZaSFvOEES_ +# Could crash + +_ZZeqFvOEES_z +_ZZeqFvOEES_z # # demangler/80513 Test for bogus characters after __thunk_ -- 2.20.1 From patchwork Fri Jan 11 00:16:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023282 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493826-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="ffxGBVLF"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNhP0TMmz9sLw for ; Fri, 11 Jan 2019 11:16:36 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=g6WL0cwijCItZvqLfwWP8mb9BFYbUJ6svCFu2qGhWjkKfKTZ4HvNL IDd1nxMaAIlW2S2jJ63Xw12d0Iqq171AoZUqac9K6kIUCY4HPUR2f+SKBlNNYUKU GAp4U1OfX5tad/3T1ZiYbgzNnYhskZ0XM/Ka9MxNaceAZkr/rjwhW4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=Oq8c5jKSkQdKWodU6a0C2ptI3Wk=; b=ffxGBVLFkIuuGqjH3dDr iSDds0Wc2svxrZ2lp28XSLajJzEsx12lNQFYBBJFUPIdIrvjRP7v24VIIPkADtbF 8QjwoKmS1TWI5bSuuuOfLlQVkh2lON+b5/+EI+UrMssZy59wpfG8xuNSFgnYuTd4 Z8pK0TQ3yylNg5A65AyXC4U= Received: (qmail 32956 invoked by alias); 11 Jan 2019 00:16:30 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 32946 invoked by uid 89); 11 Jan 2019 00:16:30 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM02-BL2-obe.outbound.protection.outlook.com Received: from mail-oln040092003088.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (40.92.3.88) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:16:28 +0000 Received: from SN1NAM02FT051.eop-nam02.prod.protection.outlook.com (10.152.72.52) by SN1NAM02HT159.eop-nam02.prod.protection.outlook.com (10.152.73.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Fri, 11 Jan 2019 00:16:25 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.72.53) by SN1NAM02FT051.mail.protection.outlook.com (10.152.73.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 00:16:25 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:16:25 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 04/10] libiberty: Fix crash in ada_demangle() Date: Fri, 11 Jan 2019 00:16:25 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- The output buffer is pre-allocated to a maximum size under the assumption that special names can only occur once, however nothing was enforcing this for stream attributes. To fix this we treat stream attributes that appear before the end of the mangled input as an error. * cplus-dem.c (ada_demangle): Only accept stream attributes if they're at the end of the input. * testsuite/demangle-expected: Add testcase. From c8dd053c841e9b04583ad6c6bf4550d30aa47990 Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:18:14 +0000 Subject: [PATCH 04/10] libiberty: Fix crash in ada_demangle(). The output buffer is pre-allocated to a maximum size under the assumption that special names can only occur once, however nothing was enforcing this for stream attributes. To fix this we treat stream attributes that appear before the end of the mangled input as an error. * cplus-dem.c (ada_demangle): Only accept stream attributes if they're at the end of the input. * testsuite/demangle-expected: Add testcase. diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c index afceed2..245cf11 100644 --- a/libiberty/cplus-dem.c +++ b/libiberty/cplus-dem.c @@ -254,6 +254,8 @@ ada_demangle (const char *mangled, int option ATTRIBUTE_UNUSED) p = mangled; while (1) { + int stream = 0; + /* An entity names is expected. */ if (ISLOWER (*p)) { @@ -363,6 +365,7 @@ ada_demangle (const char *mangled, int option ATTRIBUTE_UNUSED) goto unknown; } p += 2; + stream = 1; strcpy (d, name); d += strlen (name); } @@ -437,6 +440,10 @@ ada_demangle (const char *mangled, int option ATTRIBUTE_UNUSED) else goto unknown; } + else if (stream) + { + goto unknown; + } else { *d++ = '.'; diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index f21ed00..8b830b6 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -81,6 +81,10 @@ _ZZaSFvOEES_ _ZZeqFvOEES_z _ZZeqFvOEES_z +# Could crash +--format=gnat +lSO__lSO + # # demangler/80513 Test for bogus characters after __thunk_ -- 2.20.1 From patchwork Fri Jan 11 00:17:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023285 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493827-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="XCjAhjrR"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNjL4CPwz9sN1 for ; Fri, 11 Jan 2019 11:17:26 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=q1rTJoxQKEEoGFr+msX8aHxl/TPzS5cZCwIujn/JP5FWo4FS+8qZc pxqsyQB4zxoC/z2j1xPGOOR/2E5egKGa4FPWi8tygVqESCn0yl6iaKOriHbt0UR4 BkMIMW9yLeSRmus7iKP4KX7WCdL965sy62gI+cHe2WPBfy4ONhX/1I= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=xMjZUPlPYPPe0BBLXrk2QKRWMeU=; b=XCjAhjrRF8KO4fHUetCM Pgfz6/IiA8wtdOSP8elxwFtNejbglqDfCLNy9gBC9abwxn0nwvdTOnTRGZCFcHRZ 1GFFJSoBEXZoBTiQPVkgkonEpFzj8/cIB6HGfKWXSTjFHmzrCPXu0qRi/fM+4QeU FjebIcyn79qQ6B87uOonAJg= Received: (qmail 52456 invoked by alias); 11 Jan 2019 00:17:19 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 51915 invoked by uid 89); 11 Jan 2019 00:17:19 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=exceeding, H*c:HHH X-HELO: NAM02-BL2-obe.outbound.protection.outlook.com Received: from mail-oln040092003026.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (40.92.3.26) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:17:17 +0000 Received: from SN1NAM02FT051.eop-nam02.prod.protection.outlook.com (10.152.72.60) by SN1NAM02HT069.eop-nam02.prod.protection.outlook.com (10.152.73.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Fri, 11 Jan 2019 00:17:15 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.72.53) by SN1NAM02FT051.mail.protection.outlook.com (10.152.73.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 00:17:15 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:17:15 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 05/10] libiberty: Fix stack underflow in dlang_parse_integer() Date: Fri, 11 Jan 2019 00:17:15 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- A char array of size 10 was created on the stack to hold the decimal representation of a long, which on my platform is 64 bits and hence has a maximum value of 9223372036854775807, far exceeding 10 characters. Fix this by bumping the size of the array to 20 characters. * d-demangle.c (dlang_parse_integer): Fix stack underflow. * testsuite/d-demangle-expected: Add testcase. From 56a6202c87543dbf0a15d99e4dcb01507bf70f57 Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:24:19 +0000 Subject: [PATCH 05/10] libiberty: Fix stack underflow in dlang_parse_integer(). A char array of size 10 was created on the stack to hold the decimal representation of a long, which on my platform is 64 bits and hence has a maximum value of 9223372036854775807, far exceeding 10 characters. Fix this by bumping the size of the array to 20 characters. * d-demangle.c (dlang_parse_integer): Fix stack underflow. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 8acbf04..114d9e0 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -939,8 +939,8 @@ dlang_parse_integer (string *decl, const char *mangled, char type) if (type == 'a' || type == 'u' || type == 'w') { /* Parse character value. */ - char value[10]; - int pos = 10; + char value[20]; + int pos = sizeof(value); int width = 0; long val; @@ -991,7 +991,7 @@ dlang_parse_integer (string *decl, const char *mangled, char type) for (; width > 0; width--) value[--pos] = '0'; - string_appendn (decl, &(value[pos]), 10 - pos); + string_appendn (decl, &(value[pos]), sizeof(value) - pos); } string_append (decl, "'"); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 547a2dd..9988238 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1306,3 +1306,7 @@ rt.lifetime._d_newarrayOpT!(_d_newarrayiT)._d_newarrayOpT(const(TypeInfo), ulong --format=dlang _D4core8demangle16__T6mangleTFZPvZ6mangleFNaNbNfAxaAaZ11DotSplitter5emptyMxFNaNbNdNiNfZb core.demangle.mangle!(void*() function).mangle(const(char)[], char[]).DotSplitter.empty() const +# Could crash +--format=dlang +_D8__T2fnVa8888888888888_ +_D8__T2fnVa8888888888888_ -- 2.20.1 From patchwork Fri Jan 11 00:17:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023288 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493828-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="jzrduU23"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNk32JLKz9sN1 for ; Fri, 11 Jan 2019 11:18:03 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=b2CSIjbMMtFijWpENJdxR3Ofjf+f5PZMrft7n+rp+cyZWr39NE186 OET1op8nrMtL7hlsOWmFISy5WlwMVlLLINNqrEUd5re/yATXlhTCspQHz/of4Zl1 uRxBpnqdAtpIEbCC9Rcjht42w8Co3jDgM9kVq2TBAt6pWoesN6DBgU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=W8vHMkTHAbHOqVDSm4GoxthKp6I=; b=jzrduU23qwjj0+3c2fDW S10Hwn+nDOWAXV8Qu9iqTpbx03ki/Fmzk+QSnloCySMpehmTfGc2hKp26cbiSkEO 1xJIvRtk5uNOu/gxA1BSeAsztKQxGKrKsN+6FDScCbRLRgXiQt2Qxlu9GyNLLh5M HdjfoSgBcasP6kdfiFD6H68= Received: (qmail 101548 invoked by alias); 11 Jan 2019 00:17:56 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 101197 invoked by uid 89); 11 Jan 2019 00:17:56 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM02-CY1-obe.outbound.protection.outlook.com Received: from mail-oln040092004016.outbound.protection.outlook.com (HELO NAM02-CY1-obe.outbound.protection.outlook.com) (40.92.4.16) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:17:54 +0000 Received: from SN1NAM02FT051.eop-nam02.prod.protection.outlook.com (10.152.72.59) by SN1NAM02HT022.eop-nam02.prod.protection.outlook.com (10.152.72.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Fri, 11 Jan 2019 00:17:52 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.72.53) by SN1NAM02FT051.mail.protection.outlook.com (10.152.73.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 00:17:52 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:17:52 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 06/10] libiberty: Correctly handle error result in dlang_parse_arrayliteral() Date: Fri, 11 Jan 2019 00:17:52 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_arrayliteral): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. From 8eca61f41b70891f4e2c456c4a12c06d3b4f3a3f Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:33:27 +0000 Subject: [PATCH 06/10] libiberty: Correctly handle error result in dlang_parse_arrayliteral(). The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_arrayliteral): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 114d9e0..303d2ee 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -1191,6 +1191,9 @@ dlang_parse_arrayliteral (string *decl, const char *mangled) while (elements--) { mangled = dlang_value (decl, mangled, NULL, '\0'); + if (mangled == NULL) + return NULL; + if (elements != 0) string_append (decl, ", "); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 9988238..19665f5 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1310,3 +1310,7 @@ core.demangle.mangle!(void*() function).mangle(const(char)[], char[]).DotSplitte --format=dlang _D8__T2fnVa8888888888888_ _D8__T2fnVa8888888888888_ +# Could crash +--format=dlang +_D5__T2fnVmA1A1A911111111D +_D5__T2fnVmA1A1A911111111D -- 2.20.1 From patchwork Fri Jan 11 00:18:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023289 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493829-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="P2kk3Hcm"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNkk11Pvz9sLw for ; Fri, 11 Jan 2019 11:18:37 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=QgGQDSYq6ospjPeUq2n+hsJ8tWzbY8BWlYC6r1o48bCBgH6hWaSIz z5+aL7JIVxDX7Ek6iTKPYE386ze++VGEK8e1tQWn4mXO8BG7vCKQYcEHcUXlJb+s bolrpwhAig7Eo2NDwVmczzg2Wkov8E0xrCG0mrQ+yn8tRsPscxnWh4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=+ds6wSDxCCFDdWYvS7BfWqbpeDo=; b=P2kk3HcmDBVqYjlm7vGA +WZ99o21sNLWDzUIMmEw2Ds8tkdMNmIfYIO6xktRip8hMySYdBbvWr4DqwA5AhHS 2nf1+ya6dLEJj5uKeo8S+GjMivAnHd6w4cL4kNiJa9jjIT0vyVgQqW+RA7IldaWi BCU4l7FBgsppoL/GWzZSs/E= Received: (qmail 124793 invoked by alias); 11 Jan 2019 00:18:31 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 124783 invoked by uid 89); 11 Jan 2019 00:18:31 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM02-CY1-obe.outbound.protection.outlook.com Received: from mail-oln040092004034.outbound.protection.outlook.com (HELO NAM02-CY1-obe.outbound.protection.outlook.com) (40.92.4.34) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:18:29 +0000 Received: from SN1NAM02FT051.eop-nam02.prod.protection.outlook.com (10.152.72.57) by SN1NAM02HT131.eop-nam02.prod.protection.outlook.com (10.152.73.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Fri, 11 Jan 2019 00:18:27 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.72.53) by SN1NAM02FT051.mail.protection.outlook.com (10.152.73.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 00:18:27 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:18:27 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 07/10] libiberty: Correctly handle error result in dlang_parse_structlit() Date: Fri, 11 Jan 2019 00:18:27 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_structlit): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. From 4911e6f481472b732277cc9b2136b0846474bb4a Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:37:41 +0000 Subject: [PATCH 07/10] libiberty: Correctly handle error result in dlang_parse_structlit(). The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_structlit): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 303d2ee..5590417 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -1246,6 +1246,9 @@ dlang_parse_structlit (string *decl, const char *mangled, const char *name) while (args--) { mangled = dlang_value (decl, mangled, NULL, '\0'); + if (mangled == NULL) + return NULL; + if (args != 0) string_append (decl, ", "); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 19665f5..0a5f9da 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1314,3 +1314,7 @@ _D8__T2fnVa8888888888888_ --format=dlang _D5__T2fnVmA1A1A911111111D _D5__T2fnVmA1A1A911111111D +# Could crash +--format=dlang +_D7__T2fnVlS8S588888888888S6S5 +_D7__T2fnVlS8S588888888888S6S5 -- 2.20.1 From patchwork Fri Jan 11 00:18:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023290 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493830-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="P3BRt4EA"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNlL4rL3z9sNJ for ; Fri, 11 Jan 2019 11:19:07 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=qIgRwlIfxCzXAXx+E6jvYHrO78CFYm4LJrWeyNKVpkMue7JRy6yof kHqtv347VPE9o+eEmWWta4HmZvlsx3LVsdK49LkJkIOam2US0Tu60VKkOBOSkDW5 Ci66eU2TsHK77c+m1a+6cXvvXclT/KNRdJyg0UtOJsJUr4MgxcY3ls= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=TVlhKPNHeuirLLkaT7puBSR5Ftc=; b=P3BRt4EA4AHrgPEikdKr 4ZiMFWLkQViZz7w1VQ+XlwIT+QHKviIIeTxuGHxFouYw7aeqBr8ZVdLc4thbWKb1 6Fh5MK1638M4Lei0Su45WWJtC20g2Zi87E3blT9GGkD2QwBmpPiuq0nM+1gvUr26 FED8rb0wY7hscOzsqOgaSsA= Received: (qmail 126666 invoked by alias); 11 Jan 2019 00:19:01 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 126647 invoked by uid 89); 11 Jan 2019 00:19:00 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM02-SN1-obe.outbound.protection.outlook.com Received: from mail-oln040092005060.outbound.protection.outlook.com (HELO NAM02-SN1-obe.outbound.protection.outlook.com) (40.92.5.60) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:18:59 +0000 Received: from SN1NAM02FT051.eop-nam02.prod.protection.outlook.com (10.152.72.57) by SN1NAM02HT101.eop-nam02.prod.protection.outlook.com (10.152.72.228) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Fri, 11 Jan 2019 00:18:57 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.72.53) by SN1NAM02FT051.mail.protection.outlook.com (10.152.73.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 00:18:57 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:18:57 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 08/10] libiberty: Correctly handle error result in dlang_parse_tuple() Date: Fri, 11 Jan 2019 00:18:57 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_tuple): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. From 7491ea105fd8d1d7887884594d30486ecf2cac08 Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:40:48 +0000 Subject: [PATCH 08/10] libiberty: Correctly handle error result in dlang_parse_tuple(). The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_tuple): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 5590417..e98118e 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -1503,6 +1503,9 @@ dlang_parse_tuple (string *decl, const char *mangled) while (elements--) { mangled = dlang_type (decl, mangled); + if (mangled == NULL) + return NULL; + if (elements != 0) string_append (decl, ", "); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 0a5f9da..44a8d3b 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1318,3 +1318,7 @@ _D5__T2fnVmA1A1A911111111D --format=dlang _D7__T2fnVlS8S588888888888S6S5 _D7__T2fnVlS8S588888888888S6S5 +# Could crash +--format=dlang +_D1_B699999999961* +_D1_B699999999961* -- 2.20.1 From patchwork Fri Jan 11 00:19:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023291 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493831-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="EcEawaI9"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNlk3YrPz9sCh for ; Fri, 11 Jan 2019 11:19:30 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=PhTJc32u17Dgt9h35EyUIf+nT+zZMudZqM7bdYt4pp+nCnNsjaf0f 2fghOGai73dxHzGBlthwP1VDDa28nX7Tau5cxA4r2oVxe73/sUyZdTLN6cXMfYzc YFmcJVmttsqW5Ab4y+dnsgGmGN7saQUwakiCb81mQsz6y5XIhgDrdk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=1MP6CXB49lEM6Zkccq01b7B9CbM=; b=EcEawaI9d5SHT9oCuLOJ NOx9fYHcXQ1oMbhIpaNYjwbz+a6FMyMDNuT9c01Q2YX2fZl0Lqk6UgT7mxIxHR1g PLQ+mQ0qumcn4/u2KYn9m2ci08SgS97xTT57IJLpvQld+zhSkwuPatdoyeICIkjG QH4AV14xbLh3XBEbof+IuVg= Received: (qmail 128290 invoked by alias); 11 Jan 2019 00:19:24 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 128281 invoked by uid 89); 11 Jan 2019 00:19:23 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM05-BY2-obe.outbound.protection.outlook.com Received: from mail-oln040092012019.outbound.protection.outlook.com (HELO NAM05-BY2-obe.outbound.protection.outlook.com) (40.92.12.19) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:19:21 +0000 Received: from CO1NAM05FT022.eop-nam05.prod.protection.outlook.com (10.152.96.52) by CO1NAM05HT078.eop-nam05.prod.protection.outlook.com (10.152.97.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.10; Fri, 11 Jan 2019 00:19:19 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.96.60) by CO1NAM05FT022.mail.protection.outlook.com (10.152.96.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.10 via Frontend Transport; Fri, 11 Jan 2019 00:19:19 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:19:19 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 09/10] libiberty: Correctly handle error result in dlang_parse_assocarray() Date: Fri, 11 Jan 2019 00:19:19 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_assocarray): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. From f3dd4107d4bd59b7f3370b17b25c9fd35d499ea3 Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:46:30 +0000 Subject: [PATCH 09/10] libiberty: Correctly handle error result in dlang_parse_assocarray(). The number of elements were being taken as valid and for each one a separator was appended to the output, resulting in a huge memory bloat before crashing later on due to a signed integer overflow. * d-demangle.c (dlang_parse_assocarray): Correctly handle error result. * testsuite/d-demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index e98118e..becc402 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -1217,8 +1217,13 @@ dlang_parse_assocarray (string *decl, const char *mangled) while (elements--) { mangled = dlang_value (decl, mangled, NULL, '\0'); + if (mangled == NULL) + return NULL; + string_append (decl, ":"); mangled = dlang_value (decl, mangled, NULL, '\0'); + if (mangled == NULL) + return NULL; if (elements != 0) string_append (decl, ", "); diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 44a8d3b..490d4e1 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1322,3 +1322,7 @@ _D7__T2fnVlS8S588888888888S6S5 --format=dlang _D1_B699999999961* _D1_B699999999961* +# Could crash +--format=dlang +_D5__T1fVHacA6666666666_ +_D5__T1fVHacA6666666666_ -- 2.20.1 From patchwork Fri Jan 11 00:20:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben L X-Patchwork-Id: 1023299 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-493832-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=live.co.uk Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="G5pDS957"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNmh599Wz9sN1 for ; Fri, 11 Jan 2019 11:20:20 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; q=dns; s= default; b=wz9C6gOtj2CvOT7XmEwwK7BGvZpe8OyLyecMg/cwuPU4ck0hajKIZ nVFOtPAgWOLk9rIpycRA2JuEDLLxY4a3Yn+QeFiLIWpH+nkGZ6yRzMRviYPDCR4q d/GuL79csDdQncECg/hMptaPvtwZaTvZd3QHLAFxRpSSKxej2/4JVY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:subject:date:message-id:content-type:mime-version; s= default; bh=zHmd02dh0RxfUkMDjn8QDjIgxvg=; b=G5pDS957T8ekJqcYvsoJ jKo3Lu8yxxGOZJOy2xXNUIY+j+13XxGiXhLvL1cz95Rr7KvXaPgpzUzCDDnvavi+ g3tBKGVhbIN1dfKNjO7dRQVjnrf5EBOqvIENcnepLO6LeRkABx0c3dFC7TotAn7M SsfdPhzNurYnI8yndbVvwt8= Received: (qmail 130303 invoked by alias); 11 Jan 2019 00:20:13 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 130289 invoked by uid 89); 11 Jan 2019 00:20:13 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_COUK, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:HHH X-HELO: NAM05-CO1-obe.outbound.protection.outlook.com Received: from mail-oln040092013052.outbound.protection.outlook.com (HELO NAM05-CO1-obe.outbound.protection.outlook.com) (40.92.13.52) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Jan 2019 00:20:11 +0000 Received: from CO1NAM05FT022.eop-nam05.prod.protection.outlook.com (10.152.96.51) by CO1NAM05HT094.eop-nam05.prod.protection.outlook.com (10.152.97.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.10; Fri, 11 Jan 2019 00:20:09 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com (10.152.96.60) by CO1NAM05FT022.mail.protection.outlook.com (10.152.96.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.10 via Frontend Transport; Fri, 11 Jan 2019 00:20:09 +0000 Received: from CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd]) by CY4PR22MB0102.namprd22.prod.outlook.com ([fe80::e8:e1f8:6d1b:9efd%9]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 00:20:09 +0000 From: Ben L To: "gcc-patches@gcc.gnu.org" Subject: [PATCH 10/10] libiberty: Correct an invalid assumption Date: Fri, 11 Jan 2019 00:20:09 +0000 Message-ID: MIME-Version: 1.0 Hi all, First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if there's obvious errors repeated in my patches. AFAICT I should be sending each change individually rather than as one bulk patch, so I'm sorry about the spam too. All of these changes were found by fuzzing libiberty's demanglers over the past week, and I have at least one more that it's currently crashing out on but I haven't had time to look into why yet. Obviously since this is my first time emailing I don't have write access to commit any of these, so if any are approved then I'd be grateful if you can commit them too. Thanks, Ben --- As a counter example: 8888888888888888888 * 10 = -3344831479658869200, which is valid for 64 bit longs, and evidently divisible by 10. Also safely check that adding the digit won't cause an overflow too. No testcase provided since one of the previous testcases flagged this issue up. * d-demangle.c: Include if available. (LONG_MAX): Define if necessary. (dlang_number): Fix overflow. From 6dc14e124c4a48928046403faca37504229b13c4 Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Wed, 9 Jan 2019 22:57:08 +0000 Subject: [PATCH 10/10] libiberty: Correct an invalid assumption. As a counter example: 8888888888888888888 * 10 = -3344831479658869200, which is valid for 64 bit longs, and evidently divisible by 10. Also safely check that adding the digit won't cause an overflow too. No testcase provided since one of the previous testcases flagged this issue up. * d-demangle.c: Include if available. (LONG_MAX): Define if necessary. (dlang_number): Fix overflow. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index becc402..4ffcdd1 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -42,6 +42,13 @@ If not, see . */ #include #endif +#ifdef HAVE_LIMITS_H +#include +#endif +#ifndef LONG_MAX +# define LONG_MAX (long)(((unsigned long) ~0) >> 1) +#endif + #include #include "libiberty.h" @@ -206,15 +213,18 @@ dlang_number (const char *mangled, long *ret) while (ISDIGIT (*mangled)) { + long digit = mangled[0] - '0'; + mangled++; + + if (*ret > LONG_MAX / 10) + return NULL; + (*ret) *= 10; - /* If an overflow occured when multiplying by ten, the result - will not be a multiple of ten. */ - if ((*ret % 10) != 0) + if (LONG_MAX - digit < *ret) return NULL; - (*ret) += mangled[0] - '0'; - mangled++; + (*ret) += digit; } if (*mangled == '\0' || *ret < 0) -- 2.20.1