In the version 2.26 of cxxfilt, Valgrind reports an invalid write of size. # valgrind ./cxxfilt `cat cxxfilt_12.29-12.30-24h-run3/error_level/level-2-double-54-g165.txt` ==23618== Memcheck, a memory error detector ==23618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==23618== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==23618== Command: ./cxxfilt $_Q9AEKm__RQ3______xewx_x6_$$[G_O2_2C__: ==23618== ==23618== Invalid write of size 4 ==23618== at 0x813A8E5: register_Btype (cplus-dem.c:4319) ==23618== by 0x8138B02: demangle_qualified (cplus-dem.c:3287) ==23618== by 0x8139739: do_type (cplus-dem.c:3771) ==23618== by 0x813A5B4: do_arg (cplus-dem.c:4231) ==23618== by 0x813ADA9: demangle_args (cplus-dem.c:4514) ==23618== by 0x8135A90: demangle_signature (cplus-dem.c:1642) ==23618== by 0x8134D07: internal_cplus_demangle (cplus-dem.c:1203) ==23618== by 0x8134466: cplus_demangle (cplus-dem.c:886) ==23618== by 0x8049A23: demangle_it (cxxfilt.c:62) ==23618== by 0x8049E21: main (cxxfilt.c:227) ==23618== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==23618== ==23618== ..
(In reply to zhangyuntao from comment #0) > In the version 2.26 of cxxfilt, Valgrind reports an invalid write of size 4. > > # valgrind ./cxxfilt `cat > cxxfilt_12.29-12.30-24h-run3/error_level/level-2-double-54-g165.txt` > ==23618== Memcheck, a memory error detector > ==23618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. > ==23618== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info > ==23618== Command: ./cxxfilt $_Q9AEKm__RQ3______xewx_x6_$$[G_O2_2C__: > ==23618== > ==23618== Invalid write of size 4 > ==23618== at 0x813A8E5: register_Btype (cplus-dem.c:4319) > ==23618== by 0x8138B02: demangle_qualified (cplus-dem.c:3287) > ==23618== by 0x8139739: do_type (cplus-dem.c:3771) > ==23618== by 0x813A5B4: do_arg (cplus-dem.c:4231) > ==23618== by 0x813ADA9: demangle_args (cplus-dem.c:4514) > ==23618== by 0x8135A90: demangle_signature (cplus-dem.c:1642) > ==23618== by 0x8134D07: internal_cplus_demangle (cplus-dem.c:1203) > ==23618== by 0x8134466: cplus_demangle (cplus-dem.c:886) > ==23618== by 0x8049A23: demangle_it (cxxfilt.c:62) > ==23618== by 0x8049E21: main (cxxfilt.c:227) > ==23618== Address 0x0 is not stack'd, malloc'd or (recently) free'd > ==23618== > ==23618== > ..
Please attach the input.
Created attachment 50230 [details] PoC
Ok, the input is a garbage.
“Ok, the input is a garbage.” Do you mean the input is not a crash to cxxfilt? Why does the program crash?
(In reply to zhangyuntao from comment #5) > “Ok, the input is a garbage.” > Do you mean the input is not a crash to cxxfilt? Why does the program crash? It likely makes cxxfilt crashing. I'm just saying it's likely a product of a fuzzer and it's very unlikely to be fixed.
Actually, it _is_ fixed. This problem report is about version 2.26, which is many years old. Current versions don't have this problem, at the very least when the problematic code was removed whole-sale in late 2018/early 2019.
(In reply to Michael Matz from comment #7) > Actually, it _is_ fixed. This problem report is about version 2.26, which > is many > years old. Current versions don't have this problem, at the very least when > the problematic code was removed whole-sale in late 2018/early 2019. Just checked - the problem is fixed in 2.27 and all later versions....
If it's still important for someone, then this is a duplicate of bug 67394 (CVE-2016-4487), which was solved by bug 70481 (CVE-2016-4488). So for version 2.26 use the patch https://gcc.gnu.org/git/?p=gcc.git;a=patch;h=9e6edb946c0e9a2c530fbae3eeace148eca0de33.