A write access violation on destination operand in the libiberty demangler causes its host applications to crash. There are also two other read access violations on source operand that are caused by the same problem (overflow when parsing a number). How to reproduce: $valgrind c++filt 0__Ot2m02R5T0000500000 ==86038== Invalid read of size 1 ==86038== at 0x752150: do_type (cplus-dem.c:3729) ==86038== by 0x7640F5: do_arg (cplus-dem.c:4239) ==86038== by 0x7659D7: demangle_args (cplus-dem.c:4528) ==86038== by 0x778425: demangle_signature (cplus-dem.c:1645) ==86038== by 0x784701: internal_cplus_demangle (cplus-dem.c:1204) ==86038== by 0x74F572: cplus_demangle (cplus-dem.c:887) ==86038== by 0x406251: demangle_it (cxxfilt.c:62) ==86038== by 0x40582E: main (cxxfilt.c:227) $ valgrind c++filt 0__GT50000000000_ ==10196== Invalid read of size 8 ==10196== at 0x7519A7: do_type (cplus-dem.c:3623) ==10196== by 0x763DB5: do_arg (cplus-dem.c:4249) ==10196== by 0x76568F: demangle_args (cplus-dem.c:4538) ==10196== by 0x778825: demangle_signature (cplus-dem.c:1653) ==10196== by 0x784961: internal_cplus_demangle (cplus-dem.c:1210) ==10196== by 0x74F582: cplus_demangle (cplus-dem.c:893) ==10196== by 0x406251: demangle_it (cxxfilt.c:62) ==10196== by 0x40582E: main (cxxfilt.c:227) $ valgrind c++filt __t2m05B500000000000000000_ ==13052== Invalid read of size 8 ==13052== at 0x7541FF: do_type (cplus-dem.c:3798) ==13052== by 0x76B2B3: demangle_template.constprop.15 (cplus-dem.c:2241) ==13052== by 0x7761B7: demangle_signature (cplus-dem.c:1573) ==13052== by 0x784811: internal_cplus_demangle (cplus-dem.c:1210) ==13052== by 0x74F582: cplus_demangle (cplus-dem.c:893) ==13052== by 0x406251: demangle_it (cxxfilt.c:62) ==13052== by 0x40582E: main (cxxfilt.c:227) Analysis: The demangler reads sometimes the value of an array index from the mangled string. Now, it is checked whether it exceeds the array length. However, the parsing can cause an overflow and the index is negative. This vulnerability was found with a more efficient version of AFL. I am preparing a patch.
Fixed by commit on trunk
Author: law Date: Wed Jul 13 22:06:09 2016 New Revision: 238313 URL: https://gcc.gnu.org/viewcvs?rev=238313&root=gcc&view=rev Log: PR c++/70926 * cplus-dem.c: Handle large values and overflow when demangling length variables. (demangle_template_value_parm): Read only until end of mangled string. (do_hpacc_template_literal): Likewise. (do_type): Handle overflow when demangling array indices. Modified: trunk/libiberty/ChangeLog trunk/libiberty/cplus-dem.c trunk/libiberty/testsuite/demangle-expected