re PR c++/70926 (Libiberty Demangler segfaults (5))

PR c++/70926 * cplus-dem.c: Handle large values and overflow when demangling length variables. (demangle_template_value_parm): Read only until end of mangled string. (do_hpacc_template_literal): Likewise. (do_type): Handle overflow when demangling array indices. From-SVN: r238313

re PR c++/70926 (Libiberty Demangler segfaults (5))
PR c++/70926 * cplus-dem.c: Handle large values and overflow when demangling length variables. (demangle_template_value_parm): Read only until end of mangled string. (do_hpacc_template_literal): Likewise. (do_type): Handle overflow when demangling array indices. From-SVN: r238313
03ef0c6c · Marcel Böhme · Jeff Law · 0d355cf9 · 03ef0c6c · 03ef0c6c
Commit 03ef0c6c authored 8 years ago by Marcel Böhme Committed by Jeff Law 8 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 4 deletions

libiberty/ChangeLog
+9 -0

libiberty/cplus-dem.c
+6 -4

libiberty/testsuite/demangle-expected
+13 -0

No files found.
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
+2016-07-13  Marcel BÃhme  <boehme.marcel@gmail.com>
+
+	PR c++/70926
+	* cplus-dem.c: Handle large values and overflow when demangling
+	length variables.
+	(demangle_template_value_parm): Read only until end of mangled string.
+	(do_hpacc_template_literal): Likewise.
+	(do_type): Handle overflow when demangling array indices.
+
 2016-06-12  Brooks Moses  <bmoses@google.com>

 	* cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length

--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
@@ -2053,7 +2053,8 @@ demangle_template_value_parm (struct work_stuff *work, const char **mangled,
      else
 	{
 	  int symbol_len  = consume_count (mangled);
-	  if (symbol_len == -1)
+	  if (symbol_len == -1
+	      || symbol_len > (long) strlen (*mangled))
 	    return -1;
 	  if (symbol_len == 0)
 	    string_appendn (s, "0", 1);
@@ -3621,7 +3622,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
 	/* A back reference to a previously seen type */
 	case 'T':
 	  (*mangled)++;
-	  if (!get_count (mangled, &n) || n >= work -> ntypes)
+	  if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes)
 	    {
 	      success = 0;
 	    }
@@ -3798,7 +3799,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
    /* A back reference to a previously seen squangled type */
    case 'B':
      (*mangled)++;
-      if (!get_count (mangled, &n) || n >= work -> numb)
+      if (!get_count (mangled, &n) || n < 0 || n >= work -> numb)
 	success = 0;
      else
 	string_append (result, work->btypevec[n]);
@@ -4139,7 +4140,8 @@ do_hpacc_template_literal (struct work_stuff *work, const char **mangled,

  literal_len = consume_count (mangled);

-  if (literal_len <= 0)
+  if (literal_len <= 0
+      || literal_len > (long) strlen (*mangled))
    return 0;

  /* Literal parameters are names of arrays, functions, etc.  and the

--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4556,3 +4556,16 @@ __vt_90000000000cafebabe

 _Z80800000000000000000000
 _Z80800000000000000000000
+#
+# Tests write access violation PR70926
+
+0__Ot2m02R5T0000500000
+0__Ot2m02R5T0000500000
+#
+
+0__GT50000000000_
+0__GT50000000000_
+#
+
+__t2m05B500000000000000000_
+__t2m05B500000000000000000_