This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Fix for PR70481 Libiberty Demangler

From: Marcel BÃhme <boehme dot marcel at gmail dot com>
To: gcc-patches at gcc dot gnu dot org
Date: Thu, 31 Mar 2016 22:55:20 +0800
Subject: Fix for PR70481 Libiberty Demangler
Authentication-results: sourceware.org; auth=none

Hi,

This fixes the use-after-free detailed in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

There is a variable ksize storing the amount of allocated memory for the array ktypevec. ksize being zero (0) indicates that some memory must be allocated upon the first write. When more memory is needed, both ksize and the memory are doubled during reallocation. At some point the memory for the array is freed (in squangle_mop_up) but the value of ksize remains. Since ksize is not 0, there is no indication that new memory must be allocated when there is another write to the array.

The same holds for bsize and btypevec.

Best regards,
- Marcel


Index: libiberty/cplus-dem.c
===================================================================
--- libiberty/cplus-dem.c	(revision 234607)
+++ libiberty/cplus-dem.c	(working copy)
@@ -1237,11 +1237,13 @@  squangle_mop_up (struct work_stuff *work)
     {
       free ((char *) work -> btypevec);
       work->btypevec = NULL;
+      work->bsize = 0;
     }
   if (work -> ktypevec != NULL)
     {
       free ((char *) work -> ktypevec);
       work->ktypevec = NULL;
+      work->ksize = 0;
     }
 }

Follow-Ups:
- Re: Fix for PR70481 Libiberty Demangler
  - From: Jeff Law

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]