https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498
Bug ID: 70498
Summary: Libiberty Demangler segfaults (3)
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
Due to the inconsistent use of long and int for string/array length in
cp-demangle.c there is an integer overflow that leads to a write access
violation. The target crashes on an access violation at an address matching the
destination operand of the instruction.
This error was found during fuzzing with a more efficient version of AFL.
How to reproduce:
$ valgrind c++filt _Z80800000000000000000000
==87985== Invalid read of size 1
==87985== at 0x7C3DFC: d_unqualified_name (cp-demangle.c:1555)
==87985== by 0x7CA9DF: d_name (cp-demangle.c:1399)
==87985== by 0x7CC1A3: d_encoding (cp-demangle.c:1257)
==87985== by 0x7D153C: cplus_demangle_mangled_name (cp-demangle.c:1172)
==87985== by 0x7D153C: d_demangle_callback (cp-demangle.c:5894)
==87985== by 0x7D153C: d_demangle (cp-demangle.c:5945)
==87985== by 0x7D153C: cplus_demangle_v3 (cp-demangle.c:6102)
==87985== by 0x75AB53: cplus_demangle (cplus-dem.c:865)
..
Segmentation fault
Root cause:
In cp-demangle.c sometimes length-variables are of type long, e.g., when the
length of an identifier is parsed in d_number. Other times they are of type
int, e.g., when actually parsing an identifier in d_identifier. Note that
cp-demangle.h exports structs and methods with length-variables of type int.
Preparing a patch.
