On 3 May 2016, at 10:40 PM, Marcel BÃhme <boehme.marcel@gmail.com> wrote:
Hi,
This fixes four access violations (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926).
Two of these first read the value of a length variable len from the mangled string, then strncpy len characters from the mangled string; more than necessary.
The other two read the value of an array index n from the mangled string, which can be negative due to an overflow.
Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test cases added to libiberty/testsuite/demangler-expected and checked PR70926 is resolved.
Best regards,
- Marcel
Index: libiberty/ChangeLog
===================================================================
--- libiberty/ChangeLog (revision 235801)
+++ libiberty/ChangeLog (working copy)
@@ -1,3 +1,12 @@
+2016-05-03 Marcel BÃhme <boehme.marcel@gmail.com>
+
+ PR c++/70926
+ * cplus-dem.c: Handle large values and overflow when demangling
+ length variables.
+ (demangle_template_value_parm): Read only until end of mangled string.
+ (do_hpacc_template_literal): Likewise.
+ (do_type): Handle overflow when demangling array indices.