libiberty: demangler crash with missing :? or fold expression component.

When constructing an :? or fold expression that requires a third
expression only the first and second were explicitly checked to
not be NULL. Since the third expression is also required in these
constructs it needs to be explicitly checked and rejected when missing.
Otherwise the demangler will crash once it tries to d_print the
NULL component. Added two examples to demangle-expected of strings
that would crash before this fix.

Found by American Fuzzy Lop (afl) fuzzer.

From-SVN: r242451

libiberty/ChangeLog

+2016-11-15  Mark Wielaard  <mark@klomp.org>
+
+	* cp-demangle.c (d_expression_1): Make sure third expression
+	exists for ?: and fold expressions.
+	* testsuite/demangle-expected: Add examples of strings that could
+	crash the demangler because of missing expression.
+
 2016-11-14  Mark Wielaard  <mark@klomp.org>
 
 	* cplus-dem.c (demangle_signature): After 'H', template function,

libiberty/cp-demangle.c

@@ -3415,6 +3415,8 @@ d_expression_1 (struct d_info *di)
 		first = d_expression_1 (di);
 		second = d_expression_1 (di);
 		third = d_expression_1 (di);
+		if (third == NULL)
+		  return NULL;
 	      }
 	    else if (code[0] == 'f')
 	      {
@@ -3422,6 +3424,8 @@ d_expression_1 (struct d_info *di)
 		first = d_operator_name (di);
 		second = d_expression_1 (di);
 		third = d_expression_1 (di);
+		if (third == NULL)
+		  return NULL;
 	      }
 	    else if (code[0] == 'n')
 	      {

libiberty/testsuite/demangle-expected

@@ -4626,3 +4626,11 @@ _$_H1R
 # Could crash
 _Q8ccQ4M2e.
 _Q8ccQ4M2e.
+
+# fold-expression with missing third component could crash.
+_Z12binary_rightIJLi1ELi2ELi3EEEv1AIXfRplT_LiEEE
+_Z12binary_rightIJLi1ELi2ELi3EEEv1AIXfRplT_LiEEE
+
+# ?: expression with missing third component could crash.
+AquT_quT_4mxautouT_4mxxx
+AquT_quT_4mxautouT_4mxxx