This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: RFA: Patch to fix severe recursion in d_count_templates_scopes (PR 89394)
- From: Jeff Law <law at redhat dot com>
- To: Nick Clifton <nickc at redhat dot com>, ian at airs dot com
- Cc: gcc-patches at gcc dot gnu dot org
- Date: Fri, 29 Mar 2019 15:54:09 -0600
- Subject: Re: RFA: Patch to fix severe recursion in d_count_templates_scopes (PR 89394)
- References: <87imwctovn.fsf@redhat.com>
On 3/21/19 6:04 AM, Nick Clifton wrote:
> Hi Ian,
>
> Attached is a proposed patch to fix PR 89394, which contains an
> artificial mangled name that triggers excessive recursion in
> d_count_templates_scopes. The patch uses the same recursion limit
> that is already in place for d_print_comp, which I hope will be
> acceptable.
>
> There is one frag in the patch which is not directly related to this
> recursion problem however. It extends the check in
> cplus_demangle_fill_name so that names with a negative length are
> rejected. I had originally thought that the excessive recursion was
> due to a negative length string, although further investigation proved
> this guess to be wrong. I felt that leaving the check in however
> would still be a good idea.
>
> Tested with no regressions with an x86_64-linux-gnu toolchain, as well
> as against the testcase in PR 89394.
>
> OK to apply ?
>
> Cheers
> Nick
>
> libiberty/ChangeLog
> 2019-03-21 Nick Clifton <nickc@redhat.com>
>
> PR 89394
> * cp-demangle.c (cplus_demangle_fill_name): Reject negative
> lengths.
> (d_count_templates_scopes): Replace num_templates and num_scopes
> parameters with a struct d_print_info pointer parameter. Adjust
> body of the function accordingly. Add recursion counter and check
> that the recursion limit is not reached.
> (d_print_init): Pass dpi parameter to d_count_templates_scopes.
> Reset recursion counter afterwards, unless the recursion limit was
> reached.
> It's actually a fairly trivial patch once you know that d_print_init
sets up dpi :-)
Given some folks seem to think this is a security issue, I'm going to
ACK for gcc-9 even though it's not a regression.
Jeff