This is the mail archive of the gdb-cvs@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb] libiberty: demangler crash with missing :? or fold expression component.

From: Mark Wielaard <mark at sourceware dot org>
To: bfd-cvs at sourceware dot org, gdb-cvs at sourceware dot org
Date: 18 Nov 2016 10:11:21 -0000
Subject: [binutils-gdb] libiberty: demangler crash with missing :? or fold expression component.

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddc5804ebd4b2be29ad4e3e259f5c6e907f34f26

commit ddc5804ebd4b2be29ad4e3e259f5c6e907f34f26
Author: Mark Wielaard <mark@klomp.org>
Date:   Tue Nov 15 19:31:59 2016 +0000

    libiberty: demangler crash with missing :? or fold expression component.
    
    When constructing an :? or fold expression that requires a third
    expression only the first and second were explicitly checked to
    not be NULL. Since the third expression is also required in these
    constructs it needs to be explicitly checked and rejected when missing.
    Otherwise the demangler will crash once it tries to d_print the
    NULL component. Added two examples to demangle-expected of strings
    that would crash before this fix.
    
    Found by American Fuzzy Lop (afl) fuzzer.

Diff:
---
 libiberty/ChangeLog                   | 7 +++++++
 libiberty/cp-demangle.c               | 4 ++++
 libiberty/testsuite/demangle-expected | 8 ++++++++
 3 files changed, 19 insertions(+)

diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index ea12ba2..1082431 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,10 @@
+2016-11-15  Mark Wielaard  <mark@klomp.org>
+
+	* cp-demangle.c (d_expression_1): Make sure third expression
+	exists for ?: and fold expressions.
+	* testsuite/demangle-expected: Add examples of strings that could
+	crash the demangler because of missing expression.
+
 2016-11-14  Mark Wielaard  <mark@klomp.org>
 
 	* cplus-dem.c (demangle_signature): After 'H', template function,
diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index e239155..45663fe 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -3415,6 +3415,8 @@ d_expression_1 (struct d_info *di)
 		first = d_expression_1 (di);
 		second = d_expression_1 (di);
 		third = d_expression_1 (di);
+		if (third == NULL)
+		  return NULL;
 	      }
 	    else if (code[0] == 'f')
 	      {
@@ -3422,6 +3424,8 @@ d_expression_1 (struct d_info *di)
 		first = d_operator_name (di);
 		second = d_expression_1 (di);
 		third = d_expression_1 (di);
+		if (third == NULL)
+		  return NULL;
 	      }
 	    else if (code[0] == 'n')
 	      {
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index 236161c..af491d8 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4626,3 +4626,11 @@ _$_H1R
 # Could crash
 _Q8ccQ4M2e.
 _Q8ccQ4M2e.
+
+# fold-expression with missing third component could crash.
+_Z12binary_rightIJLi1ELi2ELi3EEEv1AIXfRplT_LiEEE
+_Z12binary_rightIJLi1ELi2ELi3EEEv1AIXfRplT_LiEEE
+
+# ?: expression with missing third component could crash.
+AquT_quT_4mxautouT_4mxxx
+AquT_quT_4mxautouT_4mxxx

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]