diff options
author | Marcel Böhme <boehme.marcel@gmail.com> | 2016-07-13 16:06:09 -0600 |
---|---|---|
committer | Jeff Law <law@gcc.gnu.org> | 2016-07-13 16:06:09 -0600 |
commit | 03ef0c6c55ab81002abef62cec430d0496c3a01c (patch) | |
tree | b3334406be855b82bcea51ddd6f1f9d92224b0b4 /libiberty | |
parent | 0d355cf973a80a3d15132ceabd55f6510f729d88 (diff) | |
download | gcc-03ef0c6c55ab81002abef62cec430d0496c3a01c.tar.gz |
re PR c++/70926 (Libiberty Demangler segfaults (5))
PR c++/70926
* cplus-dem.c: Handle large values and overflow when demangling
length variables.
(demangle_template_value_parm): Read only until end of mangled string.
(do_hpacc_template_literal): Likewise.
(do_type): Handle overflow when demangling array indices.
From-SVN: r238313
Diffstat (limited to 'libiberty')
-rw-r--r-- | libiberty/ChangeLog | 9 | ||||
-rw-r--r-- | libiberty/cplus-dem.c | 10 | ||||
-rw-r--r-- | libiberty/testsuite/demangle-expected | 13 |
3 files changed, 28 insertions, 4 deletions
diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog index 45b312bed5c..317bd63c054 100644 --- a/libiberty/ChangeLog +++ b/libiberty/ChangeLog @@ -1,3 +1,12 @@ +2016-07-13 Marcel BÃhme <boehme.marcel@gmail.com> + + PR c++/70926 + * cplus-dem.c: Handle large values and overflow when demangling + length variables. + (demangle_template_value_parm): Read only until end of mangled string. + (do_hpacc_template_literal): Likewise. + (do_type): Handle overflow when demangling array indices. + 2016-06-12 Brooks Moses <bmoses@google.com> * cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c index d04c32a904a..3ee2df1c56a 100644 --- a/libiberty/cplus-dem.c +++ b/libiberty/cplus-dem.c @@ -2053,7 +2053,8 @@ demangle_template_value_parm (struct work_stuff *work, const char **mangled, else { int symbol_len = consume_count (mangled); - if (symbol_len == -1) + if (symbol_len == -1 + || symbol_len > (long) strlen (*mangled)) return -1; if (symbol_len == 0) string_appendn (s, "0", 1); @@ -3621,7 +3622,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result) /* A back reference to a previously seen type */ case 'T': (*mangled)++; - if (!get_count (mangled, &n) || n >= work -> ntypes) + if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes) { success = 0; } @@ -3798,7 +3799,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result) /* A back reference to a previously seen squangled type */ case 'B': (*mangled)++; - if (!get_count (mangled, &n) || n >= work -> numb) + if (!get_count (mangled, &n) || n < 0 || n >= work -> numb) success = 0; else string_append (result, work->btypevec[n]); @@ -4139,7 +4140,8 @@ do_hpacc_template_literal (struct work_stuff *work, const char **mangled, literal_len = consume_count (mangled); - if (literal_len <= 0) + if (literal_len <= 0 + || literal_len > (long) strlen (*mangled)) return 0; /* Literal parameters are names of arrays, functions, etc. and the diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index 62ab18ca37d..1d959528b97 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -4556,3 +4556,16 @@ __vt_90000000000cafebabe _Z80800000000000000000000 _Z80800000000000000000000 +# +# Tests write access violation PR70926 + +0__Ot2m02R5T0000500000 +0__Ot2m02R5T0000500000 +# + +0__GT50000000000_ +0__GT50000000000_ +# + +__t2m05B500000000000000000_ +__t2m05B500000000000000000_ |