From 0f08678d51cd32812341eabf2608827de9f4687b Mon Sep 17 00:00:00 2001
From: jimb <jimb@138bc75d-0d04-0410-961f-82ee72b054a4>
Date: Tue, 20 Apr 1999 11:00:27 +0000
Subject: Fix from Dale Hawkins: * cplus-dem.c (mop_up): Set typevec_size to
 zero, so it'll be reallocated properly if we use it again. * cplus-dem.c
 (demangle_fund_type): Check for buffer overrun.  Be stricter about syntax. 
 Always null-terminate string.

git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@26562 138bc75d-0d04-0410-961f-82ee72b054a4
---
 libiberty/cplus-dem.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'libiberty')

diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
index a48492240d9..e834d2a6a9c 100644
--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
@@ -880,6 +880,7 @@ mop_up (work, declp, success)
     {
       free ((char *) work -> typevec);
       work -> typevec = NULL;
+      work -> typevec_size = 0;
     }
   if (work->tmpl_argvec)
     {
@@ -3377,14 +3378,22 @@ demangle_fund_type (work, mangled, result)
 	{
 	  int i;
 	  ++(*mangled);
-	  for (i = 0; **mangled && **mangled != '_'; ++(*mangled), ++i)
+	  for (i = 0;
+	       (i < sizeof (buf) - 1 && **mangled && **mangled != '_');
+	       ++(*mangled), ++i)
 	    buf[i] = **mangled;
+	  if (**mangled != '_')
+	    {
+	      success = 0;
+	      break;
+	    }
 	  buf[i] = '\0';
 	  ++(*mangled);
 	}
       else
 	{
 	  strncpy (buf, *mangled, 2);
+	  buf[2] = '\0';
 	  *mangled += 2;
 	}
       sscanf (buf, "%x", &dec);
-- 
cgit v1.2.1