[PING PATCH] demangler, only access valid fields for DEMANGLE_COMPONENT_FIXED_TYPE.
Gary Benson
gbenson@redhat.com
Tue Aug 19 10:46:00 GMT 2014
Hi all,
I just retested this patch. The crash it fixes is still there,
and the patch still fixes it. Is this ok to commit?
Cheers,
Gary
Andrew Burgess wrote:
> In two places when a struct demangle_component is of type
> DEMANGLE_COMPONENT_FIXED_TYPE we fall back to accessing the default
> s_binary member of the union rather than the s_fixed member. This
> is incorrect and can cause the demangler to crash.
>
> In d_dump I've changed the code to only access the s_fixed member of
> the union, and also added printing of the remaining parts of the
> s_fixed struct, this felt like the most useful thing to do.
>
> I've added a new test, this causes a SIGSEGV for me before the
> patch, and is fine afterwords, however, this undefined, so might not
> cause a crash on all platforms.
>
> If this is approved then please could someone commit it for me, I
> don't have gcc write access.
>
> Thanks,
> Andrew
>
> libiberty/ChangeLog:
>
> * cp-demangle.c (d_dump): Only access field from s_fixed part of
> the union for DEMANGLE_COMPONENT_FIXED_TYPE.
> (d_count_templates_scopes): Likewise.
> * testsuite/demangle-expected: New test case.
> ---
> libiberty/cp-demangle.c | 10 +++++++++-
> libiberty/testsuite/demangle-expected | 6 ++++++
> 2 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
> index 68d8ee1..a31dad4 100644
> --- a/libiberty/cp-demangle.c
> +++ b/libiberty/cp-demangle.c
> @@ -710,7 +710,9 @@ d_dump (struct demangle_component *dc, int indent)
> printf ("pointer to member type\n");
> break;
> case DEMANGLE_COMPONENT_FIXED_TYPE:
> - printf ("fixed-point type\n");
> + printf ("fixed-point type, accum? %d, sat? %d\n",
> + dc->u.s_fixed.accum, dc->u.s_fixed.sat);
> + d_dump (dc->u.s_fixed.length, indent + 2)
> break;
> case DEMANGLE_COMPONENT_ARGLIST:
> printf ("argument list\n");
> @@ -3869,7 +3871,13 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
> case DEMANGLE_COMPONENT_FUNCTION_TYPE:
> case DEMANGLE_COMPONENT_ARRAY_TYPE:
> case DEMANGLE_COMPONENT_PTRMEM_TYPE:
> + goto recurse_left_right;
> +
> case DEMANGLE_COMPONENT_FIXED_TYPE:
> + d_count_templates_scopes (num_templates, num_scopes,
> + dc->u.s_fixed.length);
> + break;
> +
> case DEMANGLE_COMPONENT_VECTOR_TYPE:
> case DEMANGLE_COMPONENT_ARGLIST:
> case DEMANGLE_COMPONENT_TEMPLATE_ARGLIST:
> diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
> index 453f9a3..0e2bb12 100644
> --- a/libiberty/testsuite/demangle-expected
> +++ b/libiberty/testsuite/demangle-expected
> @@ -4343,3 +4343,9 @@ cereal::detail::InputBindingMap<cereal::JSONInputArchive>::Serializers cereal::p
> --format=gnu-v3
> _ZNSt9_Any_data9_M_accessIPZ4postISt8functionIFvvEEEvOT_EUlvE_EERS5_v
> void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*& std::_Any_data::_M_access<void post<std::function<void ()> >(void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*&&)::{lambda()#1}*>()
> +# The following input symbol was found during random, it caused a fault
> +# within the demangler, it's not a symbol we'd expect in the real world.
> +--format=auto --no-params
> +_Z3xxxDFyuVb
> +xxx(unsigned long long _Fract, bool volatile)
> +xxx
> --
> 1.8.1.3
More information about the Gcc-patches
mailing list