Re: RFA: Patch to fix severe recursion in d_count_templates_scopes (PR 89394)

[Jeff Law <law at redhat dot com>]

On 3/21/19 6:04 AM, Nick Clifton wrote:
> Hi Ian,
> 
>   Attached is a proposed patch to fix PR 89394, which contains an
>   artificial mangled name that triggers excessive recursion in
>   d_count_templates_scopes.  The patch uses the same recursion limit
>   that is already in place for d_print_comp, which I hope will be
>   acceptable.
> 
>   There is one frag in the patch which is not directly related to this
>   recursion problem however.  It extends the check in
>   cplus_demangle_fill_name so that names with a negative length are
>   rejected.  I had originally thought that the excessive recursion was
>   due to a negative length string, although further investigation proved
>   this guess to be wrong.  I felt that leaving the check in however
>   would still be a good idea.
> 
>   Tested with no regressions with an x86_64-linux-gnu toolchain, as well
>   as against the testcase in PR 89394.
> 
>   OK to apply ?
> 
> Cheers
>   Nick
> 
> libiberty/ChangeLog
> 2019-03-21  Nick Clifton  <nickc@redhat.com>
> 
> 	PR 89394
> 	* cp-demangle.c (cplus_demangle_fill_name): Reject negative
> 	lengths.
> 	(d_count_templates_scopes): Replace num_templates and num_scopes
> 	parameters with a struct d_print_info pointer parameter.  Adjust
> 	body of the function accordingly.  Add recursion counter and check
> 	that the recursion limit is not reached.
> 	(d_print_init): Pass dpi parameter to d_count_templates_scopes.
> 	Reset recursion counter afterwards, unless the recursion limit was
> 	reached.
> It's actually a fairly trivial patch once you know that d_print_init
sets up dpi :-)

Given some folks seem to think this is a security issue, I'm going to
ACK for gcc-9 even though it's not a regression.

Jeff