Hi,
This fixes four access violations
(https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926).
Two of these first read the value of a length variable len from the mangled
string, then strncpy len characters from the mangled string; more than
necessary.
The other two read the value of an array index n from the mangled string, which
can be negative due to an overflow.
Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test cases added to
libiberty/testsuite/demangler-expected and checked PR70926 is resolved.
Best regards,
- Marcel
Index: libiberty/ChangeLog
===================================================================
--- libiberty/ChangeLog (revision 235801)
+++ libiberty/ChangeLog (working copy)
@@ -1,3 +1,12 @@
+2016-05-03 Marcel Böhme <boehme.mar...@gmail.com>
+
+ PR c++/70926
+ * cplus-dem.c: Handle large values and overflow when demangling
+ length variables.
+ (demangle_template_value_parm): Read only until end of mangled string.
+ (do_hpacc_template_literal): Likewise.
+ (do_type): Handle overflow when demangling array indices.
+
2016-05-02 Marcel Böhme <boehme.mar...@gmail.com>
PR c++/70498
Index: libiberty/cplus-dem.c
===================================================================
--- libiberty/cplus-dem.c (revision 235801)
+++ libiberty/cplus-dem.c (working copy)
@@ -2051,7 +2051,8 @@ demangle_template_value_parm (struct work_stuff *w
else
{
int symbol_len = consume_count (mangled);
- if (symbol_len == -1)
+ if (symbol_len == -1
+ || symbol_len > (long) strlen (*mangled))
return -1;
if (symbol_len == 0)
string_appendn (s, "0", 1);
@@ -3611,7 +3612,7 @@ do_type (struct work_stuff *work, const char **man
/* A back reference to a previously seen type */
case 'T':
(*mangled)++;
- if (!get_count (mangled, &n) || n >= work -> ntypes)
+ if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes)
{
success = 0;
}
@@ -3789,7 +3790,7 @@ do_type (struct work_stuff *work, const char **man
/* A back reference to a previously seen squangled type */
case 'B':
(*mangled)++;
- if (!get_count (mangled, &n) || n >= work -> numb)
+ if (!get_count (mangled, &n) || n < 0 || n >= work -> numb)
success = 0;
else
string_append (result, work->btypevec[n]);
@@ -4130,7 +4131,8 @@ do_hpacc_template_literal (struct work_stuff *work
literal_len = consume_count (mangled);
- if (literal_len <= 0)
+ if (literal_len <= 0
+ || literal_len > (long) strlen (*mangled))
return 0;
/* Literal parameters are names of arrays, functions, etc. and the
Index: libiberty/testsuite/demangle-expected
===================================================================
--- libiberty/testsuite/demangle-expected (revision 235801)
+++ libiberty/testsuite/demangle-expected (working copy)
@@ -4441,3 +4441,16 @@ __vt_90000000000cafebabe
_Z80800000000000000000000
_Z80800000000000000000000
+#
+# Tests write access violation PR70926
+
+0__Ot2m02R5T0000500000
+0__Ot2m02R5T0000500000
+#
+
+0__GT50000000000_
+0__GT50000000000_
+#
+
+__t2m05B500000000000000000_
+__t2m05B500000000000000000_
