https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
--- Comment #8 from Cheng Wen ---
(In reply to Trupti Pardeshi from comment #7)
> commit ebb8004a18a3808d7197762faf3c5aaeae82371f
> Author: GDB Administrator
> Date: Wed Dec 19 00:00:21 2018 +
>
> Automatic date update in version.in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
--- Comment #10 from Cheng Wen ---
(In reply to Trupti Pardeshi from comment #9)
This bug can be reproduced in the commit version
ebb8004a18a3808d7197762faf3c5aaeae82371f.
But now is fixed.
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 45255
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45255&action=edit
POC1
Hi there,
A memory leak issue was discovered in cplus-de
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539
--- Comment #1 from Cheng Wen ---
Created attachment 45256
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45256&action=edit
POC2
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 45294
--> https://gcc.gnu.org/bugzilla/attachment.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
--- Comment #1 from Cheng Wen ---
Created attachment 45295
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45295&action=edit
POC2
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
--- Comment #2 from Cheng Wen ---
Created attachment 45296
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45296&action=edit
POC3
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
--- Comment #3 from Cheng Wen ---
That 's because "d_advance (di, 2);" in function d_expression_1, it change
di->n = di + 2; leading to buffer-over-flow problem.
> 3353 d_advance (di, 2);
> 3354 if (peek == 't')
> 3355 type = cplus_d
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
--- Comment #4 from Cheng Wen ---
Hi, does anyone here to look at this bug?
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
--- Comment #5 from Cheng Wen ---
This bug got assigned CVE-2018-20712
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89394
Cheng Wen changed:
What|Removed |Added
CC||wcventure at 126 dot com
--- Comment #4
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89394
--- Comment #5 from Cheng Wen ---
So many similar cases and repetitive CVEs.
This problem has been fixed before, but it has not been completely fixed.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85122
https://gcc.gnu.org/bugzilla/show_bug.cgi?
++
Assignee: unassigned at gcc dot gnu.org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 44704
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44704&action=edit
c++filt < POC
We have found some stack overflow in c++filt of the latest bin
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 44706
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44706&action=edit
Stack_overfl
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
--- Comment #2 from Cheng Wen ---
(In reply to Martin Liška from comment #1)
> Is the input a valid C++ mangled name of not?
Hi,
This input is obtained through fuzzing technology. Our fuzzer get some test
cases by mutating a valid input. This ca
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333
--- Comment #2 from Cheng Wen ---
(In reply to Martin Liška from comment #1)
> Is the input a valid C++ mangled name of not?
Hi,
This input is obtained through fuzzing technology. Our fuzzer get some test
cases by mutating a valid input. This ca
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Hi,
Our fuzzer caught NULL-Pointer problems in c++filt of the latest binutils code
base, those inputs will cause the segment faults
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
--- Comment #1 from Cheng Wen ---
Created attachment 44714
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44714&action=edit
POC1
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
--- Comment #2 from Cheng Wen ---
Created attachment 44715
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44715&action=edit
POC2
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
--- Comment #5 from Cheng Wen ---
(In reply to Jonathan Wakely from comment #4)
> Are you sure you attached the right file? When I try to demangle the
> attachment it doesn't crash, the __cxa_demangle file returns -2, meaning the
> name is not va
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333
--- Comment #3 from Cheng Wen ---
Created attachment 44716
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44716&action=edit
POC1
I have the new POC to add.
Please use the “c++filt < $POC ” to reproduce the bug.
Please check it and debug it
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333
--- Comment #4 from Cheng Wen ---
Created attachment 44717
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44717&action=edit
POC2
I have the new POC to add.
Please use the “c++filt < $POC ” to reproduce the bug.
Please check it and debug it
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
--- Comment #7 from Cheng Wen ---
(In reply to Jonathan Wakely from comment #6)
Considering the memory size of different machines, maybe more 'P' is needed to
trigger this bug in the input.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
--- Comment #4 from Cheng Wen ---
Yes.
One input test case is "_GLOBAL_$D$__tf30___0__".
Another input test case is "__thunk_0__0__$__H1".
I see that you can you can reproduce this error. Do you know the reason for
this bug?
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
--- Comment #9 from Cheng Wen ---
(In reply to Jonathan Wakely from comment #8)
Hi Jonathan,
I debugged with this POC again. I still think it's a problem. I will show you
the debug process as follow.
> $ gdb ./c++filt
> Reading symbols from ./
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 44830
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44830&action=edit
POC_input
Hi. We are doing research
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
Cheng Wen changed:
What|Removed |Added
Summary|Integer Overflow in |Integer Overflow in
|cplus
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
--- Comment #2 from Cheng Wen ---
I have further analyzed this bug. The variable n in function get_count (const
char **type, int *count) have an Integer overflow problem. The value pass to
the variable count.
> do
> {
> n *= 10;
> n += *p -
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 44850
--> https://gcc.gnu.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
--- Comment #1 from Cheng Wen ---
I have summarized the different recursive stack frames problem in c++filt.
> This issue (In cp-demangle.c.c)
> recursive stack frames: cplus_demangle_type, d_bare_function_type,
> d_function_type
I find that m
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
--- Comment #2 from Cheng Wen ---
This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work.
If you have any questions, please let me know.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
--- Comment #11 from Cheng Wen ---
(In reply to Scott Gayou from comment #10)
> does NOT crash
That depends on your compilation options. Because stack memory is very small,
generally only 1M to 2M. You can debug it with GDB and see the backtrac
32 matches
Mail list logo
