https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481
Bug ID: 70481
Summary: [Regression] Libiberty Demangler segfaults
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
In the most recent version, Valgrind reports an invalid write of size 8 due to
a use-after-free if the demangler is called with a certain class signature.
However, the demangling succeeds in earlier versions.
How to Reproduce:
binutils-2.26# valgrind binutils/cxxfilt _Q10-__9cafebabe.
==56086== Memcheck, a memory error detector
==56086== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==56086== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==56086== Command: binutils/cxxfilt _Q10-__9cafebabe.
==56086==
==56086== Invalid write of size 8
==56086== at 0x787D9B: remember_Ktype (cplus-dem.c:4300)
==56086== by 0x787D9B: demangle_class (cplus-dem.c:2621)
==56086== by 0x787D9B: demangle_signature (cplus-dem.c:1494)
==56086== by 0x78DEA9: internal_cplus_demangle (cplus-dem.c:1204)
==56086== by 0x75DC6A: cplus_demangle (cplus-dem.c:887)
==56086== by 0x4063E1: demangle_it (cxxfilt.c:62)
==56086== by 0x4059BE: main (cxxfilt.c:227)
..
The root cause:
There is a variable ksize storing the amount of allocated memory for the array.
ksize being zero (0) indicates that some memory must be allocated upon the
first write. When more memory is needed, both ksize and the memory are doubled
during reallocation. At some point the memory for the array is freed but the
value of ksize remains. Since ksize is not 0, there is no indication that new
memory must be allocated when there is another write to the array.
The solution:
When freeing the memory of the array set ksize=0.
I am preparing a patch.
