From 03ef0c6c55ab81002abef62cec430d0496c3a01c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Marcel=20B=C3=B6hme?= <boehme.marcel@gmail.com>
Date: Wed, 13 Jul 2016 16:06:09 -0600
Subject: [PATCH] re PR c++/70926 (Libiberty Demangler segfaults (5))

	PR c++/70926
	* cplus-dem.c: Handle large values and overflow when demangling
	length variables.
	(demangle_template_value_parm): Read only until end of mangled string.
	(do_hpacc_template_literal): Likewise.
	(do_type): Handle overflow when demangling array indices.

From-SVN: r238313
---
 libiberty/ChangeLog                   |  9 +++++++++
 libiberty/cplus-dem.c                 | 10 ++++++----
 libiberty/testsuite/demangle-expected | 13 +++++++++++++
 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index 45b312bed5c..317bd63c054 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,12 @@
+2016-07-13  Marcel BÃhme  <boehme.marcel@gmail.com>
+
+	PR c++/70926
+	* cplus-dem.c: Handle large values and overflow when demangling
+	length variables.
+	(demangle_template_value_parm): Read only until end of mangled string.
+	(do_hpacc_template_literal): Likewise.
+	(do_type): Handle overflow when demangling array indices.
+
 2016-06-12  Brooks Moses  <bmoses@google.com>
 
 	* cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length
diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
index d04c32a904a..3ee2df1c56a 100644
--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
@@ -2053,7 +2053,8 @@ demangle_template_value_parm (struct work_stuff *work, const char **mangled,
       else
 	{
 	  int symbol_len  = consume_count (mangled);
-	  if (symbol_len == -1)
+	  if (symbol_len == -1
+	      || symbol_len > (long) strlen (*mangled))
 	    return -1;
 	  if (symbol_len == 0)
 	    string_appendn (s, "0", 1);
@@ -3621,7 +3622,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
 	/* A back reference to a previously seen type */
 	case 'T':
 	  (*mangled)++;
-	  if (!get_count (mangled, &n) || n >= work -> ntypes)
+	  if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes)
 	    {
 	      success = 0;
 	    }
@@ -3798,7 +3799,7 @@ do_type (struct work_stuff *work, const char **mangled, string *result)
     /* A back reference to a previously seen squangled type */
     case 'B':
       (*mangled)++;
-      if (!get_count (mangled, &n) || n >= work -> numb)
+      if (!get_count (mangled, &n) || n < 0 || n >= work -> numb)
 	success = 0;
       else
 	string_append (result, work->btypevec[n]);
@@ -4139,7 +4140,8 @@ do_hpacc_template_literal (struct work_stuff *work, const char **mangled,
 
   literal_len = consume_count (mangled);
 
-  if (literal_len <= 0)
+  if (literal_len <= 0
+      || literal_len > (long) strlen (*mangled))
     return 0;
 
   /* Literal parameters are names of arrays, functions, etc.  and the
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index 62ab18ca37d..1d959528b97 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4556,3 +4556,16 @@ __vt_90000000000cafebabe
 
 _Z80800000000000000000000
 _Z80800000000000000000000
+#
+# Tests write access violation PR70926
+
+0__Ot2m02R5T0000500000
+0__Ot2m02R5T0000500000
+#
+
+0__GT50000000000_
+0__GT50000000000_
+#
+
+__t2m05B500000000000000000_
+__t2m05B500000000000000000_
-- 
2.30.2