https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492
Bug ID: 70492
Summary: Libiberty Demangler segfaults (2)
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
Valgrind reports an invalid write of size 8 due to an integer overflow in the
demangling of virtual tables in method gnu_special.
How to Reproduce:
$ valgrind c++filt __vt_90000000000cafebabe
==69112== Invalid write of size 8
==69112== at 0x4C2F793: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==69112== by 0x781F4A: memcpy (string3.h:51)
==69112== by 0x781F4A: string_appendn (cplus-dem.c:4855)
==69112== by 0x781F4A: gnu_special (cplus-dem.c:3015)
==69112== by 0x782B3E: internal_cplus_demangle (cplus-dem.c:1191)
==69112== by 0x74F572: cplus_demangle (cplus-dem.c:887)
==69112== by 0x406251: demangle_it (cxxfilt.c:62)
==69112== by 0x40582E: main (cxxfilt.c:227)
==69112== Address 0x5400060 is 0 bytes after a block of size 32 alloc'd
==69112== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==69112== by 0x7F919C: xmalloc (xmalloc.c:147)
==69112== by 0x782367: string_need (cplus-dem.c:4775)
==69112== by 0x782367: string_appendn (cplus-dem.c:4854)
==69112== by 0x782367: gnu_special (cplus-dem.c:3015)
==69112== by 0x782B3E: internal_cplus_demangle (cplus-dem.c:1191)
==69112== by 0x74F572: cplus_demangle (cplus-dem.c:887)
==69112== by 0x406251: demangle_it (cxxfilt.c:62)
==69112== by 0x40582E: main (cxxfilt.c:227)
==69112==
==69112== Invalid read of size 8
==69112== at 0x4C2F79E: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==69112== by 0x781F4A: memcpy (string3.h:51)
==69112== by 0x781F4A: string_appendn (cplus-dem.c:4855)
==69112== by 0x781F4A: gnu_special (cplus-dem.c:3015)
==69112== by 0x782B3E: internal_cplus_demangle (cplus-dem.c:1191)
==69112== by 0x74F572: cplus_demangle (cplus-dem.c:887)
==69112== by 0x406251: demangle_it (cxxfilt.c:62)
==69112== by 0x40582E: main (cxxfilt.c:227)
==69112== Address 0xfff001000 is not stack'd, malloc'd or (recently) free'd
..
==69112==
==69112== HEAP SUMMARY:
==69112== in use at exit: 32 bytes in 1 blocks
==69112== total heap usage: 1 allocs, 0 frees, 32 bytes allocated
==69112==
==69112== LEAK SUMMARY:
==69112== definitely lost: 0 bytes in 0 blocks
==69112== indirectly lost: 0 bytes in 0 blocks
==69112== possibly lost: 0 bytes in 0 blocks
==69112== still reachable: 32 bytes in 1 blocks
==69112== suppressed: 0 bytes in 0 blocks
==69112== Rerun with --leak-check=full to see details of leaked memory
==69112==
==69112== For counts of detected and suppressed errors, rerun with: -v
==69112== ERROR SUMMARY: 243 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault
Bug Fix: Handle the special case when consume_count returns -1 due to an
integer overflow in gnu_special for the length of the virtual table qualifier.
Preparing a patch.
