https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
Bug ID: 71696
Summary: Libiberty Demangler segfaults (6)
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
A stackoverflow in the libiberty demangler causes its host application to crash
on a tainted branch instruction. The problem is caused by a self-reference in a
mangled type string that is "remembered" for later reference. This leads to an
infinite recursion during the demangling.
How to reproduce:
$ valgrind cxxfilt __33%00000000000000000000__S8_00T0000T0
==30184== Memcheck, a memory error detector
==30184== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==30184== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==30184== Command: ../../binutils_git5/libiberty/testsuite/test-demangle
==30184==
==30184== Stack overflow in thread 1: can't grow stack to 0xffe801ff8
..
$ valgrind cxxfilt __10%0__S4_0T0T0
..
Analysis: The demangler "remembers" mangled types that can later be referenced
in the mangled string. In this case the complete string is remembered in
work->typevec[0] before it is demangled in cplus-dem.c:4534. Now, a part of the
mangled string ("T0000") references the remembered type stored at
work->typevec[0] which is supposed to be demangled as well (cplus-dem.c:3632).
The tool was found with a more efficient version of AFL, called AFL-Fast.
I am preparing a patch.
