[Bug c++/70926] New: Libiberty Demangler segfaults (5)

boehme.marcel at gmail dot com gcc-bugzilla@gcc.gnu.org
Tue May 3 12:58:00 GMT 2016 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926

            Bug ID: 70926
           Summary: Libiberty Demangler segfaults (5)
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: boehme.marcel at gmail dot com
  Target Milestone: ---

A write access violation on destination operand in the libiberty demangler
causes its host applications to crash. There are also two other read access
violations on source operand that are caused by the same problem (overflow when
parsing a number).

How to reproduce:
$valgrind c++filt 0__Ot2m02R5T0000500000
==86038== Invalid read of size 1
==86038==    at 0x752150: do_type (cplus-dem.c:3729)
==86038==    by 0x7640F5: do_arg (cplus-dem.c:4239)
==86038==    by 0x7659D7: demangle_args (cplus-dem.c:4528)
==86038==    by 0x778425: demangle_signature (cplus-dem.c:1645)
==86038==    by 0x784701: internal_cplus_demangle (cplus-dem.c:1204)
==86038==    by 0x74F572: cplus_demangle (cplus-dem.c:887)
==86038==    by 0x406251: demangle_it (cxxfilt.c:62)
==86038==    by 0x40582E: main (cxxfilt.c:227)

$ valgrind c++filt 0__GT50000000000_
==10196== Invalid read of size 8
==10196==    at 0x7519A7: do_type (cplus-dem.c:3623)
==10196==    by 0x763DB5: do_arg (cplus-dem.c:4249)
==10196==    by 0x76568F: demangle_args (cplus-dem.c:4538)
==10196==    by 0x778825: demangle_signature (cplus-dem.c:1653)
==10196==    by 0x784961: internal_cplus_demangle (cplus-dem.c:1210)
==10196==    by 0x74F582: cplus_demangle (cplus-dem.c:893)
==10196==    by 0x406251: demangle_it (cxxfilt.c:62)
==10196==    by 0x40582E: main (cxxfilt.c:227)

$ valgrind c++filt __t2m05B500000000000000000_
==13052== Invalid read of size 8
==13052==    at 0x7541FF: do_type (cplus-dem.c:3798)
==13052==    by 0x76B2B3: demangle_template.constprop.15 (cplus-dem.c:2241)
==13052==    by 0x7761B7: demangle_signature (cplus-dem.c:1573)
==13052==    by 0x784811: internal_cplus_demangle (cplus-dem.c:1210)
==13052==    by 0x74F582: cplus_demangle (cplus-dem.c:893)
==13052==    by 0x406251: demangle_it (cxxfilt.c:62)
==13052==    by 0x40582E: main (cxxfilt.c:227)

Analysis: The demangler reads sometimes the value of an array index from the
mangled string. Now, it is checked whether it exceeds the array length.
However, the parsing can cause an overflow and the index is negative.

This vulnerability was found with a more efficient version of AFL.
I am preparing a patch.

More information about the Gcc-bugs mailing list