[Bug c++/87241] New: A hang problem for c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87241 Bug ID: 87241 Summary: A hang problem for c++filt Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: poppeter1982 at gmail dot com Target Milestone: --- Created attachment 44665 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44665&action=edit The proof of concept ASCII file for c++filt Hi There Our fuzzer generates an input which may hang the execution of c++filt, please check it on your side if this is a real positive. You could use ./c++filt < input to reproduce it. Originally I reported it to binutils bugzilla, the link is https://sourceware.org/bugzilla/show_bug.cgi?id=23589, the maintainer confirmed it is a problem with the C++ name de-mangling code and recommended me to resubmit here. Thanks Peng
[Bug c++/87241] A hang problem for c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87241 --- Comment #2 from Li Peng --- (In reply to Jonathan Wakely from comment #1) > __cxa_demangle in cp-demangle.c correctly returns -2 (the mangled name is > not valid) but cplus_demangle in cplus-dem.c tries to allocate crazy amounts > of memory. So you can confirm this is a bug, right?
[Bug c++/87340] New: Stack overflow problem for c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87340 Bug ID: 87340 Summary: Stack overflow problem for c++filt Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: poppeter1982 at gmail dot com Target Milestone: --- Created attachment 44709 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44709&action=edit PoCs to demonstrate segfaults of c++filt Hi There Our fuzzer caught stack overflows in c++filt of the latest binutils code base, those inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the “c++filt < input” to reproduce the bug. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: ==25314==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc1fb15f58 (pc 0x004a5672 bp 0x7ffc1fb167a0 sp 0x7ffc1fb15f40 T0) #0 0x4a5671 in malloc /home/peter668/AFL_KLEE_FUZZ/toolchain/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:39 #1 0x5845d4 in xmalloc /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./xmalloc.c:147:12 #2 0x56912c in string_need /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4906:21 #3 0x56a23a in string_append /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4961:3 #4 0x56a23a in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4578 #5 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #6 0x563e74 in do_type /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:3719 #7 0x56a97b in do_arg /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4332:8 #8 0x56a417 in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4659:9 #9 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #10 0x563e74 in do_type /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:3719 #11 0x56a97b in do_arg /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4332:8 #12 0x56a417 in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4659:9 #13 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #14 0x563e74 in do_type /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:3719 #15 0x56a97b in do_arg /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4332:8 #16 0x56a417 in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4659:9 #17 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #18 0x563e74 in do_type /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:3719 #19 0x56a97b in do_arg /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4332:8 #20 0x56a417 in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4659:9 #21 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #22 0x563e74 in do_type /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:3719 #23 0x56a97b in do_arg /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4332:8 #24 0x56a417 in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4659:9 #25 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #26 0x563e74 in do_type /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:3719 #27 0x56a97b in do_arg /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4332:8 #28 0x56a417 in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4659:9 #29 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #30 0x563e74 in do_type /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:3719 #31 0x56a97b in do_arg /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4332:8 #32 0x56a417 in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4659:9 #33 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #34 0x563e74 in do_type /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:3719 #35 0x56a97b in do_arg /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4332:8 #36 0x56a417 in demangle_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4659:9 #37 0x563e74 in demangle_nested_args /home/peter668/lipeng/TMP/binutils-gdb/libiberty/./cplus-dem.c:4713:12 #38 0x563e74 in do_type /home/peter668/lipeng/TMP/bi
