https://sourceware.org/bugzilla/show_bug.cgi?id=18895
Bug ID: 18895
Summary: segfault in cxxfilt in d_unqualified_name () at
./cp-demangle.c:1547
Product: binutils
Version: 2.25
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: brian.carpenter at gmail dot com
Target Milestone: ---
Created attachment 8564
--> https://sourceware.org/bugzilla/attachment.cgi?id=8564&action=edit
crashing test case
While fuzzing GNU c++filt (GNU Binutils) 2.25.51.20150826 with American Fuzzy
Lop (http://lcamtuf.coredump.cx/afl/), I found a simple 12-byte file that
causes cxxfilt to crash w/ the following command line:
./cxxfilt @test00-min
Valgrind:
==35143== Invalid read of size 1
==35143== at 0x80CDBF: d_unqualified_name (cp-demangle.c:1547)
==35143== by 0x813F87: d_name (cp-demangle.c:1391)
==35143== by 0x815BE7: d_encoding (cp-demangle.c:1257)
==35143== by 0x8189F4: cplus_demangle_mangled_name (cp-demangle.c:1172)
==35143== by 0x81AD60: d_demangle_callback (cp-demangle.c:5886)
==35143== by 0x81AD60: d_demangle (cp-demangle.c:5937)
==35143== by 0x81AD60: cplus_demangle_v3 (cp-demangle.c:6094)
==35143== by 0x783A73: cplus_demangle (cplus-dem.c:864)
==35143== by 0x408192: demangle_it (cxxfilt.c:62)
==35143== by 0x407618: main (cxxfilt.c:227)
==35143== Address 0xffffffff8ae0ae97 is not stack'd, malloc'd or (recently)
free'd
==35143==
==35143==
==35143== Process terminating with default action of signal 11 (SIGSEGV)
==35143== Access not within mapped region at address 0xFFFFFFFF8AE0AE97
==35143== at 0x80CDBF: d_unqualified_name (cp-demangle.c:1547)
==35143== by 0x813F87: d_name (cp-demangle.c:1391)
==35143== by 0x815BE7: d_encoding (cp-demangle.c:1257)
==35143== by 0x8189F4: cplus_demangle_mangled_name (cp-demangle.c:1172)
==35143== by 0x81AD60: d_demangle_callback (cp-demangle.c:5886)
==35143== by 0x81AD60: d_demangle (cp-demangle.c:5937)
==35143== by 0x81AD60: cplus_demangle_v3 (cp-demangle.c:6094)
==35143== by 0x783A73: cplus_demangle (cplus-dem.c:864)
==35143== by 0x408192: demangle_it (cxxfilt.c:62)
==35143== by 0x407618: main (cxxfilt.c:227)
==35143== If you believe this happened as a result of a stack
==35143== overflow in your program's main thread (unlikely but
==35143== possible), you can try to increase the size of the
==35143== main thread stack using the --main-stacksize= flag.
==35143== The main thread stack size used in this run was 8388608.
Segmentation fault
GDB:
Program received signal SIGSEGV, Segmentation fault.
0x000000000080cdbf in d_unqualified_name () at ./cp-demangle.c:1547
1547 ret = d_source_name (di);
(gdb) bt
#0 0x000000000080cdbf in d_unqualified_name () at ./cp-demangle.c:1547
#1 0x0000000000813f88 in d_name () at ./cp-demangle.c:1391
#2 0x0000000000815be8 in d_encoding () at ./cp-demangle.c:1257
#3 0x00000000008189f5 in cplus_demangle_mangled_name () at
./cp-demangle.c:1172
#4 0x000000000081ad61 in cplus_demangle_v3 () at ./cp-demangle.c:5886
#5 0x0000000000783a74 in cplus_demangle ()
#6 0x0000000000408193 in demangle_it () at cxxfilt.c:62
#7 0x0000000000407619 in main () at cxxfilt.c:227
(gdb) i r
rax 0x7fffffffde30 140737488346672
rbx 0x7fffffffe0c0 140737488347328
rcx 0xabe2e1 11264737
rdx 0x0 0
rsi 0xffffffff8a0fe4ec -1978669844
rdi 0x0 0
rbp 0x7fffffffde30 0x7fffffffde30
rsp 0x7fffffffdcf0 0x7fffffffdcf0
r8 0xffffffd0 4294967248
r9 0x0 0
r10 0xffffffff8a0fe4ec -1978669844
r11 0x18 24
r12 0x1 1
r13 0x7fffffffe080 140737488347264
r14 0x10b 267
r15 0xffffffffbc6 17592186043334
rip 0x80cdbf 0x80cdbf <d_unqualified_name+1439>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
