[PATCH 01/10] libiberty: Fix an out of bounds read in d_expression_1()
Jeff Law
law@redhat.com
Mon Apr 29 22:51:00 GMT 2019
On 1/10/19 5:13 PM, Ben L wrote:
> Hi all,
>
> First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
> there's obvious errors repeated in my patches. AFAICT I should be sending each
> change individually rather than as one bulk patch, so I'm sorry about the spam
> too.
>
> All of these changes were found by fuzzing libiberty's demanglers over the
> past week, and I have at least one more that it's currently crashing out on
> but I haven't had time to look into why yet.
>
> Obviously since this is my first time emailing I don't have write access to
> commit any of these, so if any are approved then I'd be grateful if you can
> commit them too.
>
> Thanks,
> Ben
>
> --
>
> Passing "_ZmmAtl" to cplus_demangle() causes it to read past the end of the
> input buffer. This is because cplus_demangle_type() may advance the current
> offset so when control returns to d_expression_1() the current char may now
> be the last valid byte and hence we cannot peek at the next char.
>
> Fixed this by checking that the current char is still valid before checking
> that the next char is too.
>
> * cp-demangle.c (d_expression_1): Don't peek ahead unless the current
> char is valid.
> * testsuite/demangle-expected: Add testcase.
>
Thanks. I've committed this to the GCC trunk.
jeff
More information about the Gcc-patches
mailing list