Bug 23677 - The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 ( c++filt -t )
Summary: The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 ( c+...
Status: RESOLVED MOVED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-17 14:20 UTC by wcventure
Modified: 2018-09-18 06:41 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
POC-c++filt-t (56 bytes, text/plain)
2018-09-17 14:20 UTC, wcventure 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-09-17 14:20:37 UTC 
Created attachment 11252 [details]
POC-c++filt-t

Hi,

We have found a stack overflow in function cplus_demangle_type in cp-demangle.c:2565 in c++filt of the latest binutils code base. 

Here is the POC file. Please use the “c++filt -t < $POC ” to reproduce the bug. Thank you very much.


Command:“c++filt -t < $POC ” (Please remember to use the option -t)

AddressSanitizer:DEADLYSIGNAL
=================================================================
==21814==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcafaefbc0 (pc 0x0000008d3eb1 bp 0x7ffcafaf02d0 sp 0x7ffcafaefbc0 T0)
    #0 0x8d3eb0 in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2367
    #1 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #2 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #3 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #4 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #5 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #6 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #7 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #8 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #9 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    ...
    #246 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #247 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #248 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5
    #249 0x8d523c in cplus_demangle_type .../binutils-2.31/libiberty/./cp-demangle.c:2565:5

SUMMARY: AddressSanitizer: stack-overflow .../binutils-2.31/libiberty/./cp-demangle.c:2367 in cplus_demangle_type
==21814==ABORTING
Aborted
Comment 1 Nick Clifton 2018-09-17 15:11:01 UTC 
Hi wcventure,

  Thank you for reporting this bug.

  The libiberty library, which includes the cplus_demangle_type function
  is actually part of the gcc project, rather than the binutils project.
  (The binutils use the library, but we do not maintain it).  Therefore,
  please could you refile this bug report here:

https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc

  Thank you.

Cheers
  Nick
Comment 2 wcventure 2018-09-18 06:41:13 UTC 
(In reply to Nick Clifton from comment #1)
> Hi wcventure,
> 
>   Thank you for reporting this bug.
> 
>   The libiberty library, which includes the cplus_demangle_type function
>   is actually part of the gcc project, rather than the binutils project.
>   (The binutils use the library, but we do not maintain it).  Therefore,
>   please could you refile this bug report here:
> 
> https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc
> 
>   Thank you.
> 
> Cheers
>   Nick

Thank you very much, I have reported this bug to gcc project.

The link:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335