From: Marcel Böhme Date: Fri, 8 Apr 2016 12:10:21 +0000 (+0000) Subject: Fix memory allocation size overflows (PR69687, patch by Marcel Böhme) X-Git-Tag: basepoints/gcc-7~112 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bdf66f7734daf0d2a8f53eb5a1a94a94a28246fc;p=thirdparty%2Fgcc.git Fix memory allocation size overflows (PR69687, patch by Marcel Böhme) PR c++/69687 * cplus-dem.c: Include if available. (INT_MAX): Define if necessary. (remember_type, remember_Ktype, register_Btype, string_need): Abort if we detect cases where we the size of the allocation would overflow. From-SVN: r234829 --- diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog index 8e82a5fd7767..2a3435623a8f 100644 --- a/libiberty/ChangeLog +++ b/libiberty/ChangeLog @@ -1,5 +1,12 @@ 2016-04-08 Marcel Böhme + PR c++/69687 + * cplus-dem.c: Include if available. + (INT_MAX): Define if necessary. + (remember_type, remember_Ktype, register_Btype, string_need): + Abort if we detect cases where we the size of the allocation would + overflow. + PR c++/70498 * cplus-dem.c (gnu_special): Handle case where consume_count returns -1. diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c index abba234f04c2..7514e57913c5 100644 --- a/libiberty/cplus-dem.c +++ b/libiberty/cplus-dem.c @@ -56,6 +56,13 @@ void * malloc (); void * realloc (); #endif +#ifdef HAVE_LIMITS_H +#include +#endif +#ifndef INT_MAX +# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ +#endif + #include #undef CURRENT_DEMANGLING_STYLE #define CURRENT_DEMANGLING_STYLE work->options @@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len) } else { + if (work -> typevec_size > INT_MAX / 2) + xmalloc_failed (INT_MAX); work -> typevec_size *= 2; work -> typevec = XRESIZEVEC (char *, work->typevec, work->typevec_size); @@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len) } else { + if (work -> ksize > INT_MAX / 2) + xmalloc_failed (INT_MAX); work -> ksize *= 2; work -> ktypevec = XRESIZEVEC (char *, work->ktypevec, work->ksize); @@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work) } else { + if (work -> bsize > INT_MAX / 2) + xmalloc_failed (INT_MAX); work -> bsize *= 2; work -> btypevec = XRESIZEVEC (char *, work->btypevec, work->bsize); @@ -4771,6 +4784,8 @@ string_need (string *s, int n) else if (s->e - s->p < n) { tem = s->p - s->b; + if (n > INT_MAX / 2 - tem) + xmalloc_failed (INT_MAX); n += tem; n *= 2; s->b = XRESIZEVEC (char, s->b, n);