Re: [PING PATCH] demangler, only access valid fields for DEMANGLE_COMPONENT_FIXED_TYPE.

[Ian Lance Taylor <iant at google dot com>]

Jason, can you take a look?  Thanks.

Ian

On Tue, Aug 19, 2014 at 3:46 AM, Gary Benson <gbenson@redhat.com> wrote:
> Hi all,
>
> I just retested this patch.  The crash it fixes is still there,
> and the patch still fixes it.  Is this ok to commit?
>
> Cheers,
> Gary
>
> Andrew Burgess wrote:
>> In two places when a struct demangle_component is of type
>> DEMANGLE_COMPONENT_FIXED_TYPE we fall back to accessing the default
>> s_binary member of the union rather than the s_fixed member.  This
>> is incorrect and can cause the demangler to crash.
>>
>> In d_dump I've changed the code to only access the s_fixed member of
>> the union, and also added printing of the remaining parts of the
>> s_fixed struct, this felt like the most useful thing to do.
>>
>> I've added a new test, this causes a SIGSEGV for me before the
>> patch, and is fine afterwords, however, this undefined, so might not
>> cause a crash on all platforms.
>>
>> If this is approved then please could someone commit it for me, I
>> don't have gcc write access.
>>
>> Thanks,
>> Andrew
>>
>> libiberty/ChangeLog:
>>
>>       * cp-demangle.c (d_dump): Only access field from s_fixed part of
>>       the union for DEMANGLE_COMPONENT_FIXED_TYPE.
>>       (d_count_templates_scopes): Likewise.
>>       * testsuite/demangle-expected: New test case.
>> ---
>>  libiberty/cp-demangle.c               | 10 +++++++++-
>>  libiberty/testsuite/demangle-expected |  6 ++++++
>>  2 files changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
>> index 68d8ee1..a31dad4 100644
>> --- a/libiberty/cp-demangle.c
>> +++ b/libiberty/cp-demangle.c
>> @@ -710,7 +710,9 @@ d_dump (struct demangle_component *dc, int indent)
>>        printf ("pointer to member type\n");
>>        break;
>>      case DEMANGLE_COMPONENT_FIXED_TYPE:
>> -      printf ("fixed-point type\n");
>> +      printf ("fixed-point type, accum? %d, sat? %d\n",
>> +              dc->u.s_fixed.accum, dc->u.s_fixed.sat);
>> +      d_dump (dc->u.s_fixed.length, indent + 2)
>>        break;
>>      case DEMANGLE_COMPONENT_ARGLIST:
>>        printf ("argument list\n");
>> @@ -3869,7 +3871,13 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
>>      case DEMANGLE_COMPONENT_FUNCTION_TYPE:
>>      case DEMANGLE_COMPONENT_ARRAY_TYPE:
>>      case DEMANGLE_COMPONENT_PTRMEM_TYPE:
>> +      goto recurse_left_right;
>> +
>>      case DEMANGLE_COMPONENT_FIXED_TYPE:
>> +      d_count_templates_scopes (num_templates, num_scopes,
>> +                                dc->u.s_fixed.length);
>> +      break;
>> +
>>      case DEMANGLE_COMPONENT_VECTOR_TYPE:
>>      case DEMANGLE_COMPONENT_ARGLIST:
>>      case DEMANGLE_COMPONENT_TEMPLATE_ARGLIST:
>> diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
>> index 453f9a3..0e2bb12 100644
>> --- a/libiberty/testsuite/demangle-expected
>> +++ b/libiberty/testsuite/demangle-expected
>> @@ -4343,3 +4343,9 @@ cereal::detail::InputBindingMap<cereal::JSONInputArchive>::Serializers cereal::p
>>  --format=gnu-v3
>>  _ZNSt9_Any_data9_M_accessIPZ4postISt8functionIFvvEEEvOT_EUlvE_EERS5_v
>>  void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*& std::_Any_data::_M_access<void post<std::function<void ()> >(void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*&&)::{lambda()#1}*>()
>> +# The following input symbol was found during random, it caused a fault
>> +# within the demangler, it's not a symbol we'd expect in the real world.
>> +--format=auto --no-params
>> +_Z3xxxDFyuVb
>> +xxx(unsigned long long _Fract, bool volatile)
>> +xxx
>> --
>> 1.8.1.3