git
/
gcc
mirror of git://gcc.gnu.org/git/gcc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

re PR c++/70926 (Libiberty Demangler segfaults (5)) 

PR c++/70926
	* cplus-dem.c: Handle large values and overflow when demangling
	length variables.
	(demangle_template_value_parm): Read only until end of mangled string.
	(do_hpacc_template_literal): Likewise.
	(do_type): Handle overflow when demangling array indices.

From-SVN: r238313
This commit is contained in:
Marcel Böhme 2016-07-13 16:06:09 -06:00 committed by Jeff Law
parent 0d355cf973
commit 03ef0c6c55
3 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libiberty/ChangeLog
View File

@ -1,3 +1,12 @@
2016-07-13 Marcel BÃhme <boehme.marcel@gmail.com>
PR c++/70926
* cplus-dem.c: Handle large values and overflow when demangling
length variables.
(demangle_template_value_parm): Read only until end of mangled string.
(do_hpacc_template_literal): Likewise.
(do_type): Handle overflow when demangling array indices.
2016-06-12 Brooks Moses <bmoses@google.com> 2016-06-12 Brooks Moses <bmoses@google.com>
* cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length * cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length

10
libiberty/cplus-dem.c
View File

@ -2053,7 +2053,8 @@ demangle_template_value_parm (struct work_stuff *work, const char **mangled,
else else
{ {
int symbol_len = consume_count (mangled); int symbol_len = consume_count (mangled);
if (symbol_len == -1) if (symbol_len == -1
|| symbol_len > (long) strlen (*mangled))
return -1; return -1;
if (symbol_len == 0) if (symbol_len == 0)
string_appendn (s, "0", 1); string_appendn (s, "0", 1);
@ -3621,7 +3622,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
/* A back reference to a previously seen type */ /* A back reference to a previously seen type */
case 'T': case 'T':
(*mangled)++; (*mangled)++;
if (!get_count (mangled, &n) || n >= work -> ntypes) if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes)
{ {
success = 0; success = 0;
} }
@ -3798,7 +3799,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
/* A back reference to a previously seen squangled type */ /* A back reference to a previously seen squangled type */
case 'B': case 'B':
(*mangled)++; (*mangled)++;
if (!get_count (mangled, &n) || n >= work -> numb) if (!get_count (mangled, &n) || n < 0 || n >= work -> numb)
success = 0; success = 0;
else else
string_append (result, work->btypevec[n]); string_append (result, work->btypevec[n]);
@ -4139,7 +4140,8 @@ do_hpacc_template_literal (struct work_stuff *work, const char **mangled,
literal_len = consume_count (mangled); literal_len = consume_count (mangled);
if (literal_len <= 0) if (literal_len <= 0
|| literal_len > (long) strlen (*mangled))
return 0; return 0;
/* Literal parameters are names of arrays, functions, etc. and the /* Literal parameters are names of arrays, functions, etc. and the

13
libiberty/testsuite/demangle-expected
View File

@ -4556,3 +4556,16 @@ __vt_90000000000cafebabe
_Z80800000000000000000000 _Z80800000000000000000000
_Z80800000000000000000000 _Z80800000000000000000000
#
# Tests write access violation PR70926
0__Ot2m02R5T0000500000
0__Ot2m02R5T0000500000
#
0__GT50000000000_
0__GT50000000000_
#
__t2m05B500000000000000000_
__t2m05B500000000000000000_