diff options
| author | mark <mark@138bc75d-0d04-0410-961f-82ee72b054a4> | 2016-11-15 19:31:59 +0000 |
|---|---|---|
| committer | mark <mark@138bc75d-0d04-0410-961f-82ee72b054a4> | 2016-11-15 19:31:59 +0000 |
| commit | 3a7ea919996addd76e1a695327ac6ceaafa292c2 (patch) | |
| tree | 8f5009b475fabf82e2a02e550cfd3e7eac405f5d /libiberty | |
| parent | b2dcfe3da47412480529c8591ba0433cd495fbe3 (diff) | |
libiberty: demangler crash with missing :? or fold expression component.
When constructing an :? or fold expression that requires a third
expression only the first and second were explicitly checked to
not be NULL. Since the third expression is also required in these
constructs it needs to be explicitly checked and rejected when missing.
Otherwise the demangler will crash once it tries to d_print the
NULL component. Added two examples to demangle-expected of strings
that would crash before this fix.
Found by American Fuzzy Lop (afl) fuzzer.
git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@242451 138bc75d-0d04-0410-961f-82ee72b054a4
Diffstat (limited to 'libiberty')
| -rw-r--r-- | libiberty/ChangeLog | 7 | ||||
| -rw-r--r-- | libiberty/cp-demangle.c | 4 | ||||
| -rw-r--r-- | libiberty/testsuite/demangle-expected | 8 |
3 files changed, 19 insertions, 0 deletions
diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog index 8a1aad953090..8b52166bcca5 100644 --- a/libiberty/ChangeLog +++ b/libiberty/ChangeLog @@ -1,3 +1,10 @@ +2016-11-15 Mark Wielaard <mark@klomp.org> + + * cp-demangle.c (d_expression_1): Make sure third expression + exists for ?: and fold expressions. + * testsuite/demangle-expected: Add examples of strings that could + crash the demangler because of missing expression. + 2016-11-14 Mark Wielaard <mark@klomp.org> * cplus-dem.c (demangle_signature): After 'H', template function, diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c index e239155c442f..45663fe8b0dc 100644 --- a/libiberty/cp-demangle.c +++ b/libiberty/cp-demangle.c @@ -3415,6 +3415,8 @@ d_expression_1 (struct d_info *di) first = d_expression_1 (di); second = d_expression_1 (di); third = d_expression_1 (di); + if (third == NULL) + return NULL; } else if (code[0] == 'f') { @@ -3422,6 +3424,8 @@ d_expression_1 (struct d_info *di) first = d_operator_name (di); second = d_expression_1 (di); third = d_expression_1 (di); + if (third == NULL) + return NULL; } else if (code[0] == 'n') { diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected index 236161c2fe37..af491d8196ef 100644 --- a/libiberty/testsuite/demangle-expected +++ b/libiberty/testsuite/demangle-expected @@ -4626,3 +4626,11 @@ _$_H1R # Could crash _Q8ccQ4M2e. _Q8ccQ4M2e. + +# fold-expression with missing third component could crash. +_Z12binary_rightIJLi1ELi2ELi3EEEv1AIXfRplT_LiEEE +_Z12binary_rightIJLi1ELi2ELi3EEEv1AIXfRplT_LiEEE + +# ?: expression with missing third component could crash. +AquT_quT_4mxautouT_4mxxx +AquT_quT_4mxautouT_4mxxx |