[RFC PATCH libiberty] Fix infinite recursion in demangler

Markus Trippelsdorf markus@trippelsdorf.de
Thu Mar 2 09:36:00 GMT 2017


The following patch from Mark Wielaard fixes many (all?) open demangler
bugs that happen because we overflow the stack due to infinite
recursion.

I'm not sure why Mark didn't post the patch himself.
Anyway here it is.
Any comments?
Thanks.

diff --git a/include/demangle.h b/include/demangle.h
index 7cc955dc28d5..996203b2d786 100644
--- a/include/demangle.h
+++ b/include/demangle.h
@@ -494,6 +494,11 @@ struct demangle_component
   /* The type of this component.  */
   enum demangle_component_type type;
 
+  /* Guard against recursive component printing.
+     Initialize to zero.  Private to d_print_comp.
+     All other fields are final after initialization.  */
+  int d_printing;
+
   union
   {
     /* For DEMANGLE_COMPONENT_NAME.  */
@@ -688,7 +693,7 @@ cplus_demangle_v3_components (const char *mangled, int options, void **mem);
 
 extern char *
 cplus_demangle_print (int options,
-                      const struct demangle_component *tree,
+                      struct demangle_component *tree,
                       int estimated_length,
                       size_t *p_allocated_size);
 
@@ -708,7 +713,7 @@ cplus_demangle_print (int options,
 
 extern int
 cplus_demangle_print_callback (int options,
-                               const struct demangle_component *tree,
+                               struct demangle_component *tree,
                                demangle_callbackref callback, void *opaque);
 
 #ifdef __cplusplus
diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index f0dbf9381c6b..341a4182c0b6 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -172,10 +172,10 @@ static struct demangle_component *d_mangled_name (struct d_info *, int);
 static struct demangle_component *d_type (struct d_info *);
 
 #define cplus_demangle_print d_print
-static char *d_print (int, const struct demangle_component *, int, size_t *);
+static char *d_print (int, struct demangle_component *, int, size_t *);
 
 #define cplus_demangle_print_callback d_print_callback
-static int d_print_callback (int, const struct demangle_component *,
+static int d_print_callback (int, struct demangle_component *,
                              demangle_callbackref, void *);
 
 #define cplus_demangle_init_info d_init_info
@@ -264,7 +264,7 @@ struct d_print_mod
      in which they appeared in the mangled string.  */
   struct d_print_mod *next;
   /* The modifier.  */
-  const struct demangle_component *mod;
+  struct demangle_component *mod;
   /* Whether this modifier was printed.  */
   int printed;
   /* The list of templates which applies to this modifier.  */
@@ -530,7 +530,7 @@ static inline void d_append_string (struct d_print_info *, const char *);
 static inline char d_last_char (struct d_print_info *);
 
 static void
-d_print_comp (struct d_print_info *, int, const struct demangle_component *);
+d_print_comp (struct d_print_info *, int, struct demangle_component *);
 
 static void
 d_print_java_identifier (struct d_print_info *, const char *, int);
@@ -539,25 +539,25 @@ static void
 d_print_mod_list (struct d_print_info *, int, struct d_print_mod *, int);
 
 static void
-d_print_mod (struct d_print_info *, int, const struct demangle_component *);
+d_print_mod (struct d_print_info *, int, struct demangle_component *);
 
 static void
 d_print_function_type (struct d_print_info *, int,
-                       const struct demangle_component *,
+                       struct demangle_component *,
                        struct d_print_mod *);
 
 static void
 d_print_array_type (struct d_print_info *, int,
-                    const struct demangle_component *,
+                    struct demangle_component *,
                     struct d_print_mod *);
 
 static void
-d_print_expr_op (struct d_print_info *, int, const struct demangle_component *);
+d_print_expr_op (struct d_print_info *, int, struct demangle_component *);
 
 static void d_print_cast (struct d_print_info *, int,
-			  const struct demangle_component *);
+			  struct demangle_component *);
 static void d_print_conversion (struct d_print_info *, int,
-				const struct demangle_component *);
+				struct demangle_component *);
 
 static int d_demangle_callback (const char *, int,
                                 demangle_callbackref, void *);
@@ -923,6 +923,7 @@ d_make_empty (struct d_info *di)
   if (di->next_comp >= di->num_comps)
     return NULL;
   p = &di->comps[di->next_comp];
+  p->d_printing = 0;
   ++di->next_comp;
   return p;
 }
@@ -4249,7 +4250,7 @@ d_last_char (struct d_print_info *dpi)
 CP_STATIC_IF_GLIBCPP_V3
 int
 cplus_demangle_print_callback (int options,
-                               const struct demangle_component *dc,
+                               struct demangle_component *dc,
                                demangle_callbackref callback, void *opaque)
 {
   struct d_print_info dpi;
@@ -4292,7 +4293,7 @@ cplus_demangle_print_callback (int options,
 
 CP_STATIC_IF_GLIBCPP_V3
 char *
-cplus_demangle_print (int options, const struct demangle_component *dc,
+cplus_demangle_print (int options, struct demangle_component *dc,
                       int estimate, size_t *palc)
 {
   struct d_growable_string dgs;
@@ -4452,7 +4453,7 @@ d_args_length (struct d_print_info *dpi, const struct demangle_component *dc)
 
 static void
 d_print_subexpr (struct d_print_info *dpi, int options,
-		 const struct demangle_component *dc)
+		 struct demangle_component *dc)
 {
   int simple = 0;
   if (dc->type == DEMANGLE_COMPONENT_NAME
@@ -4528,9 +4529,9 @@ d_get_saved_scope (struct d_print_info *dpi,
 
 static int
 d_maybe_print_fold_expression (struct d_print_info *dpi, int options,
-			       const struct demangle_component *dc)
+			       struct demangle_component *dc)
 {
-  const struct demangle_component *ops, *operator_, *op1, *op2;
+  struct demangle_component *ops, *operator_, *op1, *op2;
   int save_idx;
 
   const char *fold_code = d_left (dc)->u.s_operator.op->code;
@@ -4591,11 +4592,11 @@ d_maybe_print_fold_expression (struct d_print_info *dpi, int options,
 
 static void
 d_print_comp_inner (struct d_print_info *dpi, int options,
-		    const struct demangle_component *dc)
+		    struct demangle_component *dc)
 {
   /* Magic variable to let reference smashing skip over the next modifier
      without needing to modify *dc.  */
-  const struct demangle_component *mod_inner = NULL;
+  struct demangle_component *mod_inner = NULL;
 
   /* Variable used to store the current templates while a previously
      captured scope is used.  */
@@ -4980,7 +4981,7 @@ d_print_comp_inner (struct d_print_info *dpi, int options,
     case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
       {
 	/* Handle reference smashing: & + && = &.  */
-	const struct demangle_component *sub = d_left (dc);
+	struct demangle_component *sub = d_left (dc);
 	if (!dpi->is_lambda_arg
 	    && sub->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
 	  {
@@ -5683,9 +5684,16 @@ d_print_comp_inner (struct d_print_info *dpi, int options,
 
 static void
 d_print_comp (struct d_print_info *dpi, int options,
-	      const struct demangle_component *dc)
+	      struct demangle_component *dc)
 {
   struct d_component_stack self;
+  if (dc == NULL || dc->d_printing > 1)
+    {
+      d_print_error (dpi);
+      return;
+    }
+  else
+    dc->d_printing++;
 
   self.dc = dc;
   self.parent = dpi->component_stack;
@@ -5694,6 +5702,7 @@ d_print_comp (struct d_print_info *dpi, int options,
   d_print_comp_inner (dpi, options, dc);
 
   dpi->component_stack = self.parent;
+  dc->d_printing--;
 }
 
 /* Print a Java dentifier.  For Java we try to handle encoded extended
@@ -5835,7 +5844,7 @@ d_print_mod_list (struct d_print_info *dpi, int options,
 
 static void
 d_print_mod (struct d_print_info *dpi, int options,
-             const struct demangle_component *mod)
+             struct demangle_component *mod)
 {
   switch (mod->type)
     {
@@ -5927,7 +5936,7 @@ d_print_mod (struct d_print_info *dpi, int options,
 
 static void
 d_print_function_type (struct d_print_info *dpi, int options,
-                       const struct demangle_component *dc,
+                       struct demangle_component *dc,
                        struct d_print_mod *mods)
 {
   int need_paren;
@@ -6005,7 +6014,7 @@ d_print_function_type (struct d_print_info *dpi, int options,
 
 static void
 d_print_array_type (struct d_print_info *dpi, int options,
-                    const struct demangle_component *dc,
+                    struct demangle_component *dc,
                     struct d_print_mod *mods)
 {
   int need_space;
@@ -6059,7 +6068,7 @@ d_print_array_type (struct d_print_info *dpi, int options,
 
 static void
 d_print_expr_op (struct d_print_info *dpi, int options,
-                 const struct demangle_component *dc)
+                 struct demangle_component *dc)
 {
   if (dc->type == DEMANGLE_COMPONENT_OPERATOR)
     d_append_buffer (dpi, dc->u.s_operator.op->name,
@@ -6072,7 +6081,7 @@ d_print_expr_op (struct d_print_info *dpi, int options,
 
 static void
 d_print_cast (struct d_print_info *dpi, int options,
-		    const struct demangle_component *dc)
+	      struct demangle_component *dc)
 {
   d_print_comp (dpi, options, d_left (dc));
 }
@@ -6081,7 +6090,7 @@ d_print_cast (struct d_print_info *dpi, int options,
 
 static void
 d_print_conversion (struct d_print_info *dpi, int options,
-		    const struct demangle_component *dc)
+		    struct demangle_component *dc)
 {
   struct d_print_template dpt;
 
diff --git a/libiberty/cp-demint.c b/libiberty/cp-demint.c
index 64baffac8ddc..13a71d96dec1 100644
--- a/libiberty/cp-demint.c
+++ b/libiberty/cp-demint.c
@@ -123,6 +123,7 @@ cplus_demangle_fill_component (struct demangle_component *p,
   p->type = type;
   p->u.s_binary.left = left;
   p->u.s_binary.right = right;
+  p->d_printing = 0;
 
   return 1;
 }
@@ -146,6 +147,7 @@ cplus_demangle_fill_builtin_type (struct demangle_component *p,
 	{
 	  p->type = DEMANGLE_COMPONENT_BUILTIN_TYPE;
 	  p->u.s_builtin.type = &cplus_demangle_builtin_types[i];
+	  p->d_printing = 0;
 	  return 1;
 	}
     }
@@ -172,6 +174,7 @@ cplus_demangle_fill_operator (struct demangle_component *p,
 	{
 	  p->type = DEMANGLE_COMPONENT_OPERATOR;
 	  p->u.s_operator.op = &cplus_demangle_operators[i];
+	  p->d_printing = 0;
 	  return 1;
 	}
     }
-- 
Markus



More information about the Gcc-patches mailing list