Hi: Pending review. Best - Marcel
> On 3 May 2016, at 10:40 PM, Marcel Böhme <boehme.mar...@gmail.com> wrote: > > Hi, > > This fixes four access violations > (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926). > > Two of these first read the value of a length variable len from the mangled > string, then strncpy len characters from the mangled string; more than > necessary. > The other two read the value of an array index n from the mangled string, > which can be negative due to an overflow. > > Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test cases added > to libiberty/testsuite/demangler-expected and checked PR70926 is resolved. > > Best regards, > - Marcel > > Index: libiberty/ChangeLog > =================================================================== > --- libiberty/ChangeLog (revision 235801) > +++ libiberty/ChangeLog (working copy) > @@ -1,3 +1,12 @@ > +2016-05-03 Marcel Böhme <boehme.mar...@gmail.com> > + > + PR c++/70926 > + * cplus-dem.c: Handle large values and overflow when demangling > + length variables. > + (demangle_template_value_parm): Read only until end of mangled string. > > + (do_hpacc_template_literal): Likewise. > + (do_type): Handle overflow when demangling array indices. > + > 2016-05-02 Marcel Böhme <boehme.mar...@gmail.com> > > PR c++/70498 > Index: libiberty/cplus-dem.c > =================================================================== > --- libiberty/cplus-dem.c (revision 235801) > +++ libiberty/cplus-dem.c (working copy) > @@ -2051,7 +2051,8 @@ demangle_template_value_parm (struct work_stuff *w > else > { > int symbol_len = consume_count (mangled); > - if (symbol_len == -1) > + if (symbol_len == -1 > + || symbol_len > (long) strlen (*mangled)) > return -1; > if (symbol_len == 0) > string_appendn (s, "0", 1); > @@ -3611,7 +3612,7 @@ do_type (struct work_stuff *work, const char **man > /* A back reference to a previously seen type */ > case 'T': > (*mangled)++; > - if (!get_count (mangled, &n) || n >= work -> ntypes) > + if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes) > { > success = 0; > } > @@ -3789,7 +3790,7 @@ do_type (struct work_stuff *work, const char **man > /* A back reference to a previously seen squangled type */ > case 'B': > (*mangled)++; > - if (!get_count (mangled, &n) || n >= work -> numb) > + if (!get_count (mangled, &n) || n < 0 || n >= work -> numb) > success = 0; > else > string_append (result, work->btypevec[n]); > @@ -4130,7 +4131,8 @@ do_hpacc_template_literal (struct work_stuff *work > > literal_len = consume_count (mangled); > > - if (literal_len <= 0) > + if (literal_len <= 0 > + || literal_len > (long) strlen (*mangled)) > return 0; > > /* Literal parameters are names of arrays, functions, etc. and the > Index: libiberty/testsuite/demangle-expected > =================================================================== > --- libiberty/testsuite/demangle-expected (revision 235801) > +++ libiberty/testsuite/demangle-expected (working copy) > @@ -4441,3 +4441,16 @@ __vt_90000000000cafebabe > > _Z80800000000000000000000 > _Z80800000000000000000000 > +# > +# Tests write access violation PR70926 > + > +0__Ot2m02R5T0000500000 > +0__Ot2m02R5T0000500000 > +# > + > +0__GT50000000000_ > +0__GT50000000000_ > +# > + > +__t2m05B500000000000000000_ > +__t2m05B500000000000000000_ >
