summaryrefslogtreecommitdiff
path: root/libiberty
diff options
context:
space:
mode:
authorMarcel Böhme <boehme.marcel@gmail.com>2016-07-13 16:06:09 -0600
committerJeff Law <law@gcc.gnu.org>2016-07-13 16:06:09 -0600
commit03ef0c6c55ab81002abef62cec430d0496c3a01c (patch)
treeb3334406be855b82bcea51ddd6f1f9d92224b0b4 /libiberty
parent0d355cf973a80a3d15132ceabd55f6510f729d88 (diff)
downloadgcc-03ef0c6c55ab81002abef62cec430d0496c3a01c.tar.gz
re PR c++/70926 (Libiberty Demangler segfaults (5))
PR c++/70926 * cplus-dem.c: Handle large values and overflow when demangling length variables. (demangle_template_value_parm): Read only until end of mangled string. (do_hpacc_template_literal): Likewise. (do_type): Handle overflow when demangling array indices. From-SVN: r238313
Diffstat (limited to 'libiberty')
-rw-r--r--libiberty/ChangeLog9
-rw-r--r--libiberty/cplus-dem.c10
-rw-r--r--libiberty/testsuite/demangle-expected13
3 files changed, 28 insertions, 4 deletions
diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index 45b312bed5c..317bd63c054 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,12 @@
+2016-07-13 Marcel BÃhme <boehme.marcel@gmail.com>
+
+ PR c++/70926
+ * cplus-dem.c: Handle large values and overflow when demangling
+ length variables.
+ (demangle_template_value_parm): Read only until end of mangled string.
+ (do_hpacc_template_literal): Likewise.
+ (do_type): Handle overflow when demangling array indices.
+
2016-06-12 Brooks Moses <bmoses@google.com>
* cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length
diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
index d04c32a904a..3ee2df1c56a 100644
--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
@@ -2053,7 +2053,8 @@ demangle_template_value_parm (struct work_stuff *work, const char **mangled,
else
{
int symbol_len = consume_count (mangled);
- if (symbol_len == -1)
+ if (symbol_len == -1
+ || symbol_len > (long) strlen (*mangled))
return -1;
if (symbol_len == 0)
string_appendn (s, "0", 1);
@@ -3621,7 +3622,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
/* A back reference to a previously seen type */
case 'T':
(*mangled)++;
- if (!get_count (mangled, &n) || n >= work -> ntypes)
+ if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes)
{
success = 0;
}
@@ -3798,7 +3799,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
/* A back reference to a previously seen squangled type */
case 'B':
(*mangled)++;
- if (!get_count (mangled, &n) || n >= work -> numb)
+ if (!get_count (mangled, &n) || n < 0 || n >= work -> numb)
success = 0;
else
string_append (result, work->btypevec[n]);
@@ -4139,7 +4140,8 @@ do_hpacc_template_literal (struct work_stuff *work, const char **mangled,
literal_len = consume_count (mangled);
- if (literal_len <= 0)
+ if (literal_len <= 0
+ || literal_len > (long) strlen (*mangled))
return 0;
/* Literal parameters are names of arrays, functions, etc. and the
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index 62ab18ca37d..1d959528b97 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4556,3 +4556,16 @@ __vt_90000000000cafebabe
_Z80800000000000000000000
_Z80800000000000000000000
+#
+# Tests write access violation PR70926
+
+0__Ot2m02R5T0000500000
+0__Ot2m02R5T0000500000
+#
+
+0__GT50000000000_
+0__GT50000000000_
+#
+
+__t2m05B500000000000000000_
+__t2m05B500000000000000000_