On 3/21/19 6:04 AM, Nick Clifton wrote: > Hi Ian, > > Attached is a proposed patch to fix PR 89394, which contains an > artificial mangled name that triggers excessive recursion in > d_count_templates_scopes. The patch uses the same recursion limit > that is already in place for d_print_comp, which I hope will be > acceptable. > > There is one frag in the patch which is not directly related to this > recursion problem however. It extends the check in > cplus_demangle_fill_name so that names with a negative length are > rejected. I had originally thought that the excessive recursion was > due to a negative length string, although further investigation proved > this guess to be wrong. I felt that leaving the check in however > would still be a good idea. > > Tested with no regressions with an x86_64-linux-gnu toolchain, as well > as against the testcase in PR 89394. > > OK to apply ? > > Cheers > Nick > > libiberty/ChangeLog > 2019-03-21 Nick Clifton <ni...@redhat.com> > > PR 89394 > * cp-demangle.c (cplus_demangle_fill_name): Reject negative > lengths. > (d_count_templates_scopes): Replace num_templates and num_scopes > parameters with a struct d_print_info pointer parameter. Adjust > body of the function accordingly. Add recursion counter and check > that the recursion limit is not reached. > (d_print_init): Pass dpi parameter to d_count_templates_scopes. > Reset recursion counter afterwards, unless the recursion limit was > reached. > It's actually a fairly trivial patch once you know that d_print_init sets up dpi :-)
Given some folks seem to think this is a security issue, I'm going to ACK for gcc-9 even though it's not a regression. Jeff
