summaryrefslogtreecommitdiff
path: root/libiberty
diff options
context:
space:
mode:
authorMark Wielaard <mark@klomp.org>2017-04-21 09:02:03 +0000
committerMark Wielaard <mark@gcc.gnu.org>2017-04-21 09:02:03 +0000
commit6b086d35b79425de90a09c8bd843170a038fbde8 (patch)
tree8229f4b0678829d2f4ee36ac3f394bc4b2c195cb /libiberty
parent13b6ef76dc275232310ebfca27db08aeef9b858c (diff)
downloadgcc-6b086d35b79425de90a09c8bd843170a038fbde8.tar.gz
libiberty: Limit demangler maximum d_print_comp recursion call depth.
The fix for PR demangler/70909 and 67264 (endless demangler recursion) catches when a demangle_component is printed in a cycle. But that doesn't protect the call stack blowing up from non-cyclic nested types printed recursively through d_print_comp. This can happen by a (very) long mangled string that simply creates a very deep pointer or qualifier chain. Limit the recursive d_print_comp call depth for a d_print_info to 1K nested types. libiberty/ChangeLog: * cp-demangle.c (MAX_RECURSION_COUNT): New constant. (struct d_print_info): Add recursion field. (d_print_init): Initialize recursion. (d_print_comp): Check and update d_print_info recursion depth. From-SVN: r247056
Diffstat (limited to 'libiberty')
-rw-r--r--libiberty/ChangeLog7
-rw-r--r--libiberty/cp-demangle.c15
2 files changed, 19 insertions, 3 deletions
diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index 673eb264301..34e585eacaa 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,5 +1,12 @@
2017-04-21 Mark Wielaard <mark@klomp.org>
+ * cp-demangle.c (MAX_RECURSION_COUNT): New constant.
+ (struct d_print_info): Add recursion field.
+ (d_print_init): Initialize recursion.
+ (d_print_comp): Check and update d_print_info recursion depth.
+
+2017-04-21 Mark Wielaard <mark@klomp.org>
+
* cp-demangle.c (d_substitution): Return NULL if d_add_substitution
fails.
diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index aeff7a79d74..e1db9005e15 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -319,6 +319,9 @@ struct d_info_checkpoint
int expansion;
};
+/* Maximum number of times d_print_comp may be called recursively. */
+#define MAX_RECURSION_COUNT 1024
+
enum { D_PRINT_BUFFER_LENGTH = 256 };
struct d_print_info
{
@@ -341,6 +344,9 @@ struct d_print_info
struct d_print_mod *modifiers;
/* Set to 1 if we saw a demangling error. */
int demangle_failure;
+ /* Number of times d_print_comp was recursively called. Should not
+ be bigger than MAX_RECURSION_COUNT. */
+ int recursion;
/* Non-zero if we're printing a lambda argument. A template
parameter reference actually means 'auto'. */
int is_lambda_arg;
@@ -4151,6 +4157,7 @@ d_print_init (struct d_print_info *dpi, demangle_callbackref callback,
dpi->opaque = opaque;
dpi->demangle_failure = 0;
+ dpi->recursion = 0;
dpi->is_lambda_arg = 0;
dpi->component_stack = NULL;
@@ -5685,13 +5692,14 @@ d_print_comp (struct d_print_info *dpi, int options,
struct demangle_component *dc)
{
struct d_component_stack self;
- if (dc == NULL || dc->d_printing > 1)
+ if (dc == NULL || dc->d_printing > 1 || dpi->recursion > MAX_RECURSION_COUNT)
{
d_print_error (dpi);
return;
}
- else
- dc->d_printing++;
+
+ dc->d_printing++;
+ dpi->recursion++;
self.dc = dc;
self.parent = dpi->component_stack;
@@ -5701,6 +5709,7 @@ d_print_comp (struct d_print_info *dpi, int options,
dpi->component_stack = self.parent;
dc->d_printing--;
+ dpi->recursion--;
}
/* Print a Java dentifier. For Java we try to handle encoded extended