On Mon, Nov 14, 2016 at 3:39 PM, Mark Wielaard <m...@klomp.org> wrote: > When construction a :? or fold expression that requires a third > expression only the first and second were explicitly checked to > not be NULL. Since the third expression is also required in these > constructs it needs to be explicitly checked and rejected when missing. > Otherwise the demangler will crash once it tries to d_print the > NULL component. Added two examples to demangle-expected of strings > that would crash before this fix. > > Found by American Fuzzy Lop (afl) fuzzer. > --- > libiberty/ChangeLog | 7 +++++++ > libiberty/cp-demangle.c | 4 ++++ > libiberty/testsuite/demangle-expected | 8 ++++++++ > 3 files changed, 19 insertions(+) > > diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog > index 41f3405..43617e4 100644 > --- a/libiberty/ChangeLog > +++ b/libiberty/ChangeLog > @@ -1,3 +1,10 @@ > +2016-11-15 Mark Wielaard <m...@klomp.org> > + > + * cp-demangle.c (d_expression_1): Make sure third expression > + exists for ?: and fold expressions. > + * testsuite/demangle-expected: Add examples of strings that could > + crash the demangler because of missing expression. > +
This is not the approach usually taken by the demangler. The usual approach would be to use a different code, other than DEMANGLE_COMPONENT_TRINARY_ARG2, that requires a non-NULL right argument, and test for that in d_make_comp. But I suppose this approach is simple enough, so this patch is OK. Thanks. Ian
