https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
--- Comment #4 from Marcel Böhme <boehme.marcel at gmail dot com> --- Here is my preliminary analysis: The function demangle_args (cplus-dem.c:4424) parses the (crafted) mangled function args from the binary. In line 4452, r is read from mangled. In line 4491, we enter a loop with r iterations. In line 4498, arg is parsed from mangled (always from the same region). In each loop iteration arg is appended to decl, such that the length of decl grows in each iteration. The function string_appends (cplus-dem.c:4820) appends string arg to string decl. In line 4827, it uses string_need to check whether sufficient memory is allocated in decl to append arg. Then, it memcopies whatever is in arg to the end of decl. The function string_need (cplus-dem.c:4751) checks whether sufficient memory is available to append size-of-arg more characters. If not, xrealloc decl with n=2*(length of decl + length of arg) characters. Since n is a signed int, n wraps over at some iteration. Since, realloc expects n to be unsigned, we end up allocating less memory then actually needed. In the beginning though n is too large and xrealloc simply complains. However, if you play a bit with the length of arg, you'll quickly turn that integer overflow in a buffer overflow. Later, string_appends will memcopy whatever arg contains. In our simple test case the relevant bits in the binary are specified the binary (arbitrarily): r = 80000000, arg = "A______wwww\235\235\235_N____" of length 020. A particularly malicious attacker could craft an executable that executes when *analysed* by objdump, nm or gdb, or any other libbfd / libiberty - based forensics tool (if the demangling option is switched on). -- Marcel Böhme Postdoctoral Researcher TSUNAMi Security Research Lab National University of Singapore
