On 07/06/2015 01:34 PM, Mikhail Maltsev wrote:
---
libiberty/cp-demangle.c | 4 +++-
libiberty/testsuite/demangle-expected | 6 ++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index 12093cc..44a0a9b 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -3267,7 +3267,9 @@ d_expression_1 (struct d_info *di)
struct demangle_component *second;
struct demangle_component *third;
- if (!strcmp (code, "qu"))
+ if (code == NULL)
+ return NULL;
+ else if (!strcmp (code, "qu"))
{
/* ?: expression. */
first = d_expression_1 (di);
diff --git a/libiberty/testsuite/demangle-expected
b/libiberty/testsuite/demangle-expected
index 6ea64ae..47ca8f5 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4091,6 +4091,12 @@ void g<1>(A<1>&, B<static_cast<bool>(1)>&)
_ZNKSt7complexIiE4realB5cxx11Ev
std::complex<int>::real[abi:cxx11]() const
#
+# Some more crashes revealed by fuzz-testing:
+# Check for NULL pointer when demangling trinary operators
+--format=gnu-v3
+Av32_f
+Av32_f
+#
# Ada (GNAT) tests.
#
# Simple test.
OK with a suitable ChangeLog entry.
And a generic question on the testsuite -- presumably it turns on type
demangling? I wanted to verify the flow through d_expression_1 was
what I expected it to be and it took a while to realize that c++filt
doesn't demangle types by default, thus Av32_f would demangle to Av32_f
without ever getting into d_expression_1.
jeff
