re PR c++/70926 (Libiberty Demangler segfaults (5))

	PR c++/70926
	* cplus-dem.c: Handle large values and overflow when demangling
	length variables.
	(demangle_template_value_parm): Read only until end of mangled string.
	(do_hpacc_template_literal): Likewise.
	(do_type): Handle overflow when demangling array indices.

From-SVN: r238313

diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index 45b312bed5cdafdebf76dd35a85946b776114b2d..317bd63c0544f167b29327f6aa0d8743b0a3ac8f 100644 (file)
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,12 @@
+2016-07-13  Marcel BÃhme  <boehme.marcel@gmail.com>
+
+       PR c++/70926
+       * cplus-dem.c: Handle large values and overflow when demangling
+       length variables.
+       (demangle_template_value_parm): Read only until end of mangled string.
+       (do_hpacc_template_literal): Likewise.
+       (do_type): Handle overflow when demangling array indices.
+
 2016-06-12  Brooks Moses  <bmoses@google.com>
 
        * cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length

diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
index d04c32a904a42bcf1906716e3c0e43aec800d76a..3ee2df1c56ad4413fde2c68c68700da5b7dd2329 100644 (file)
--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
@@ -2053,7 +2053,8 @@ demangle_template_value_parm (struct work_stuff *work, const char **mangled,
       else
        {
          int symbol_len  = consume_count (mangled);
-         if (symbol_len == -1)
+         if (symbol_len == -1
+             || symbol_len > (long) strlen (*mangled))
            return -1;
          if (symbol_len == 0)
            string_appendn (s, "0", 1);
@@ -3621,7 +3622,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
        /* A back reference to a previously seen type */
        case 'T':
          (*mangled)++;
-         if (!get_count (mangled, &n) || n >= work -> ntypes)
+         if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes)
            {
              success = 0;
            }
@@ -3798,7 +3799,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
     /* A back reference to a previously seen squangled type */
     case 'B':
       (*mangled)++;
-      if (!get_count (mangled, &n) || n >= work -> numb)
+      if (!get_count (mangled, &n) || n < 0 || n >= work -> numb)
        success = 0;
       else
        string_append (result, work->btypevec[n]);
@@ -4139,7 +4140,8 @@ do_hpacc_template_literal (struct work_stuff *work, const char **mangled,
 
   literal_len = consume_count (mangled);
 
-  if (literal_len <= 0)
+  if (literal_len <= 0
+      || literal_len > (long) strlen (*mangled))
     return 0;
 
   /* Literal parameters are names of arrays, functions, etc.  and the

diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index 62ab18ca37dcfe3dde7400ca8d241296be1ab712..1d959528b97be708e443e71f443f4b74d317bbe4 100644 (file)
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4556,3 +4556,16 @@ __vt_90000000000cafebabe
 
 _Z80800000000000000000000
 _Z80800000000000000000000
+#
+# Tests write access violation PR70926
+
+0__Ot2m02R5T0000500000
+0__Ot2m02R5T0000500000
+#
+
+0__GT50000000000_
+0__GT50000000000_
+#
+
+__t2m05B500000000000000000_
+__t2m05B500000000000000000_