Bug 79111 - demangle_template tries to allocate 18446744070799748648 bytes
Summary: demangle_template tries to allocate 18446744070799748648 bytes
Status: RESOLVED WORKSFORME
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 83472 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-01-17 01:41 UTC by Paul Pluzhnikov
Modified: 2019-03-07 04:21 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Pluzhnikov 2017-01-17 01:41:13 UTC
Test case from LLVM libFuzzer.

Using current trunk binutils (libiberty identical to current trunk GCC r244514):

cxxfilt __H21111111109__nuDD2
cxxfilt: out of memory allocating 18446744070799748648 bytes after a total of 135168 bytes

(gdb) b __libc_malloc if bytes > 10000
Breakpoint 2 at 0x7ffff7893660: file malloc.c, line 2876.
(gdb) c
Continuing.

Breakpoint 2, __GI___libc_malloc (bytes=140737488345896) at malloc.c:2876
2876	malloc.c: No such file or directory.
(gdb) up 2
#2  0x00000000007bd246 in demangle_template (work=work@entry=0x7fffffffdba0, mangled=mangled@entry=0x7fffffffdb28, tname=tname@entry=0x7fffffffdb40, trawname=trawname@entry=0x0, is_type=is_type@entry=0, remember=remember@entry=0)
    at ../../libiberty/cplus-dem.c:2232
2232	      work->tmpl_argvec = XNEWVEC (char *, r);
(gdb) p r
$1 = -363725371

(gdb) bt
#0  __GI___libc_malloc (bytes=140737488345896) at malloc.c:2876
#1  0x00000000007d1158 in xmalloc (size=18446744070799748648) at ../../libiberty/xmalloc.c:147
#2  0x00000000007bd246 in demangle_template (work=work@entry=0x7fffffffdba0, mangled=mangled@entry=0x7fffffffdb28, tname=tname@entry=0x7fffffffdb40, trawname=trawname@entry=0x0, is_type=is_type@entry=0, remember=remember@entry=0)
    at ../../libiberty/cplus-dem.c:2232
#3  0x00000000007c05e6 in demangle_signature (work=work@entry=0x7fffffffdba0, mangled=mangled@entry=0x7fffffffdb28, declp=declp@entry=0x7fffffffdb40) at ../../libiberty/cplus-dem.c:1695
#4  0x00000000007c1435 in internal_cplus_demangle (work=work@entry=0x7fffffffdba0, mangled=0x7fffffffe0af "_nuDD2", mangled@entry=0x7fffffffe0a0 "__H21111111109__nuDD2") at ../../libiberty/cplus-dem.c:1261
#5  0x00000000007bc492 in cplus_demangle (mangled=0x7fffffffe0a0 "__H21111111109__nuDD2", options=11) at ../../libiberty/cplus-dem.c:922
#6  0x0000000000405644 in demangle_it (mangled_name=0x7fffffffe0a0 "__H21111111109__nuDD2") at ../../binutils/cxxfilt.c:62
#7  0x000000000040525c in main (argc=2, argv=0x7fffffffdd88) at ../../binutils/cxxfilt.c:227


Should get_count() check for int overflow?
Comment 1 Andrew Pinski 2018-10-31 06:58:57 UTC
*** Bug 83472 has been marked as a duplicate of this bug. ***
Comment 2 sandra 2019-03-07 04:01:09 UTC
Am I correct in thinking this bug has been rendered moot by commit 267363, which deleted most of the code in cplus-dem.c?
Comment 3 Paul Pluzhnikov 2019-03-07 04:21:24 UTC
Current binutils trunk no longer shows any allocations with bytes > 1024, so looks obsolete to me.