Re: [PATCH] libiberty: demangler crash with missing :? or fold expression component.

[Ian Lance Taylor <iant at google dot com>]

On Mon, Nov 14, 2016 at 3:39 PM, Mark Wielaard <mark@klomp.org> wrote:
> When construction a :? or fold expression that requires a third
> expression only the first and second were explicitly checked to
> not be NULL. Since the third expression is also required in these
> constructs it needs to be explicitly checked and rejected when missing.
> Otherwise the demangler will crash once it tries to d_print the
> NULL component. Added two examples to demangle-expected of strings
> that would crash before this fix.
>
> Found by American Fuzzy Lop (afl) fuzzer.
> ---
>  libiberty/ChangeLog                   | 7 +++++++
>  libiberty/cp-demangle.c               | 4 ++++
>  libiberty/testsuite/demangle-expected | 8 ++++++++
>  3 files changed, 19 insertions(+)
>
> diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
> index 41f3405..43617e4 100644
> --- a/libiberty/ChangeLog
> +++ b/libiberty/ChangeLog
> @@ -1,3 +1,10 @@
> +2016-11-15  Mark Wielaard  <mark@klomp.org>
> +
> +       * cp-demangle.c (d_expression_1): Make sure third expression
> +       exists for ?: and fold expressions.
> +       * testsuite/demangle-expected: Add examples of strings that could
> +       crash the demangler because of missing expression.
> +

This is not the approach usually taken by the demangler.  The usual
approach would be to use a different code, other than
DEMANGLE_COMPONENT_TRINARY_ARG2, that requires a non-NULL right
argument, and test for that in d_make_comp.  But I suppose this
approach is simple enough, so this patch is OK.  Thanks.

Ian