From 6ef6358e5115c85b60000afef572b2bcddf8766d Mon Sep 17 00:00:00 2001
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Thu, 21 Dec 2006 01:32:48 +0000
Subject: 	* cp-demangle.h: Add comment explaining what to do to avoid 
 overrunning string. 	(d_check_char): New. 	(d_next_char): Don't advance
 past trailing '\0'. 	* cp-demangle.c (cplus_demangle_mangled_name): Use
 d_check_char. 	(d_nested_name): Likewise. 	(d_special_name): Likewise. 
 (d_call_offset): Likewise. 	(d_function_type): Likewise. 
 (d_array_type): Likewise. 	(d_pointer_to_member_type): Likewise. 
 (d_template_param): Likewise. 	(d_template_args): Likewise. 
 (d_template_arg): Likewise. 	(d_expr_primary): Likewise. 
 (d_local_name): Likewise. 	(d_substitution): Likewise. 
 (d_ctor_dtor_name): Use d_advance rather than d_next_char. 	*
 testsuite/test-demangle.c: Include sys/mman.h. 	(MAP_ANONYMOUS):
 Define. 	(protect_end): New. 	(main): Use protect_end. 	*
 testsuite/demangle-expected: Add testcases for overrunning 	the end of the
 string.

---
 libiberty/cp-demangle.h | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'libiberty/cp-demangle.h')

diff --git a/libiberty/cp-demangle.h b/libiberty/cp-demangle.h
index 2517a57e69..920ca47796 100644
--- a/libiberty/cp-demangle.h
+++ b/libiberty/cp-demangle.h
@@ -123,10 +123,16 @@ struct d_info
   int expansion;
 };
 
+/* To avoid running past the ending '\0', don't:
+   - call d_peek_next_char if d_peek_char returned '\0'
+   - call d_advance with an 'i' that is too large
+   - call d_check_char(di, '\0')
+   Everything else is safe.  */
 #define d_peek_char(di) (*((di)->n))
 #define d_peek_next_char(di) ((di)->n[1])
 #define d_advance(di, i) ((di)->n += (i))
-#define d_next_char(di) (*((di)->n++))
+#define d_check_char(di, c) (d_peek_char(di) == c ? ((di)->n++, 1) : 0)
+#define d_next_char(di) (d_peek_char(di) == '\0' ? '\0' : *((di)->n++))
 #define d_str(di) ((di)->n)
 
 /* Functions and arrays in cp-demangle.c which are referenced by
-- 
cgit v1.2.3