https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
--- Comment #6 from Bernhard Kaindl <bernhard.kaindl at thalesgroup dot com> --- Created attachment 45167 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45167&action=edit Safe fix: Before copying work, check if the vectors have been allocated. If not, input wasn't valid. Fixes CVE-2018-17794: In cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31 (and all prior versions) There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17794 Safe fix: Before copying work, check if the vectors have been allocated. If not, input wasn't valid. -- Bernhard Kaindl diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c index 6d58bd899b..ab30cd5fd5 100644 --- a/libiberty/cplus-dem.c +++ b/libiberty/cplus-dem.c @@ -2723,6 +2723,11 @@ iterate_demangle_function (struct work_stuff *work, const char **mangled, || strstr (scan + 2, "__") == NULL) return demangle_function_name (work, mangled, declp, scan); + /* Before copying work, check if the vectors have been allocated. + If not, our input isn't a valid mangled name and we'd sigseg then: */ + if (!work->typevec || !work->ktypevec || !work->btypevec) + return 0; + /* Save state so we can restart if the guess at the correct "__" was wrong. */ string_init (&decl_init); It would be enough to check just for !work->typevec to fix this CVE, the others are just related as work_stuff_copy_to_from() copies them in the same way as ktypevec. To be sure there is no oversight, proper review and testing would be in required.
