From 81adfd10c9527402ba94963e960b8f70ea52bdca Mon Sep 17 00:00:00 2001 From: Ben L Date: Tue, 30 Apr 2019 14:32:38 +0000 Subject: [PATCH] d-demangle.c (dlang_parse_integer): Fix stack underflow. * d-demangle.c (dlang_parse_integer): Fix stack underflow. * testsuite/d-demangle-expected: Add testcase. From-SVN: r270696 --- libiberty/ChangeLog | 3 +++ libiberty/d-demangle.c | 6 +++--- libiberty/testsuite/d-demangle-expected | 4 ++++ 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog index 6e9691c6bae..76a974d6526 100644 --- a/libiberty/ChangeLog +++ b/libiberty/ChangeLog @@ -1,5 +1,8 @@ 2019-04-30 Ben L + * d-demangle.c (dlang_parse_integer): Fix stack underflow. + * testsuite/d-demangle-expected: Add testcase. + * cp-demangle (d_print_comp_inner): Guard against a NULL 'typed_name'. * testsuite/demangle-expected: Add testcase. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index 8acbf046f26..114d9e0ef73 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -939,8 +939,8 @@ dlang_parse_integer (string *decl, const char *mangled, char type) if (type == 'a' || type == 'u' || type == 'w') { /* Parse character value. */ - char value[10]; - int pos = 10; + char value[20]; + int pos = sizeof(value); int width = 0; long val; @@ -991,7 +991,7 @@ dlang_parse_integer (string *decl, const char *mangled, char type) for (; width > 0; width--) value[--pos] = '0'; - string_appendn (decl, &(value[pos]), 10 - pos); + string_appendn (decl, &(value[pos]), sizeof(value) - pos); } string_append (decl, "'"); } diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected index 547a2ddec39..998823899b5 100644 --- a/libiberty/testsuite/d-demangle-expected +++ b/libiberty/testsuite/d-demangle-expected @@ -1306,3 +1306,7 @@ rt.lifetime._d_newarrayOpT!(_d_newarrayiT)._d_newarrayOpT(const(TypeInfo), ulong --format=dlang _D4core8demangle16__T6mangleTFZPvZ6mangleFNaNbNfAxaAaZ11DotSplitter5emptyMxFNaNbNdNiNfZb core.demangle.mangle!(void*() function).mangle(const(char)[], char[]).DotSplitter.empty() const +# Could crash +--format=dlang +_D8__T2fnVa8888888888888_ +_D8__T2fnVa8888888888888_ -- 2.30.2