[Bug c++/87602] Integer Overflow in cplus-dem.c in c++filt in bintuils which leads to Undefined-behavior(OOM in this POC)

wcventure at 126 dot com Tue, 16 Oct 2018 07:21:28 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602


--- Comment #2 from Cheng Wen <wcventure at 126 dot com> ---
I have further analyzed this bug. The variable n in function get_count (const
char **type, int *count) have an Integer overflow problem. The value pass to
the variable count.

> do
> {
>   n *= 10;
>   n += *p - '0';
>   p++;
>   }
>   while (ISDIGIT ((unsigned char)*p));
>   if (*p == '_')
>   {
>     *type = p + 1;
>     *count = n;
>   }

After that in XNEWVEC (char *, r); pass the *count as parameter

> work->tmpl_argvec = XNEWVEC (char *, r);

Finally malloc the negative size in /libiberty/./xmalloc.c:147:12.

[Bug c++/87602] Integer Overflow in cplus-dem.c in c++filt in bintuils which leads to Undefined-behavior(OOM in this POC)

Reply via email to