When constructing an :? or fold expression that requires a third
expression only the first and second were explicitly checked to
not be NULL. Since the third expression is also required in these
constructs it needs to be explicitly checked and rejected when missing.
Otherwise the demangler will crash once it tries to d_print the
NULL component. Added two examples to demangle-expected of strings
that would crash before this fix.
Found by American Fuzzy Lop (afl) fuzzer.
+2016-11-15 Mark Wielaard <mark@klomp.org>
+
+ * cp-demangle.c (d_expression_1): Make sure third expression
+ exists for ?: and fold expressions.
+ * testsuite/demangle-expected: Add examples of strings that could
+ crash the demangler because of missing expression.
+
2016-11-14 Mark Wielaard <mark@klomp.org>
* cplus-dem.c (demangle_signature): After 'H', template function,
first = d_expression_1 (di);
second = d_expression_1 (di);
third = d_expression_1 (di);
+ if (third == NULL)
+ return NULL;
}
else if (code[0] == 'f')
{
first = d_operator_name (di);
second = d_expression_1 (di);
third = d_expression_1 (di);
+ if (third == NULL)
+ return NULL;
}
else if (code[0] == 'n')
{
# Could crash
_Q8ccQ4M2e.
_Q8ccQ4M2e.
+
+# fold-expression with missing third component could crash.
+_Z12binary_rightIJLi1ELi2ELi3EEEv1AIXfRplT_LiEEE
+_Z12binary_rightIJLi1ELi2ELi3EEEv1AIXfRplT_LiEEE
+
+# ?: expression with missing third component could crash.
+AquT_quT_4mxautouT_4mxxx
+AquT_quT_4mxautouT_4mxxx
projects / binutils-gdb.git / commitdiff