backport: cp-demangle.c (d_dump): Fix syntax error.

author Jakub Jelinek <jakub@redhat.com>

Thu, 19 May 2016 12:02:19 +0000 (14:02 +0200)

committer Jakub Jelinek <jakub@gcc.gnu.org>

Thu, 19 May 2016 12:02:19 +0000 (14:02 +0200)
author Jakub Jelinek <jakub@redhat.com>
Thu, 19 May 2016 12:02:19 +0000 (14:02 +0200)
committer Jakub Jelinek <jakub@gcc.gnu.org>
Thu, 19 May 2016 12:02:19 +0000 (14:02 +0200)
diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog

index 87dd211cf7a0e582ba1189db7a884d28b0238b38..f112f762a1ebe4ceda742134309470520e719109 100644 (file)
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,6 +1,16 @@
  2016-05-19  Jakub Jelinek  <jakub@redhat.com>
  
         Backported from mainline
+       2015-07-13  Mikhail Maltsev  <maltsevm@gmail.com>
+
+       * cp-demangle.c (d_dump): Fix syntax error.
+       (d_identifier): Adjust type of len to match d_source_name.
+       (d_expression_1): Fix out-of-bounds access.  Check code variable for
+       NULL before dereferencing it.
+       (d_find_pack): Do not recurse for FIXED_TYPE, DEFAULT_ARG and NUMBER.
+       (d_print_comp_inner): Add NULL pointer check.
+       * testsuite/demangle-expected: Add new testcases.
+
         2014-08-29  Andrew Burgess  <aburgess@broadcom.com>
  
         * cp-demangle.c (d_dump): Only access field from s_fixed part of
diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c

index 4ecdb1ee439e83cc8bfddaa47619f650398b4937..fc58050e4bc2a5780e894cdfc92df6717e8f0fed 100644 (file)
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -419,7 +419,7 @@ static struct demangle_component *d_source_name (struct d_info *);
  
  static long d_number (struct d_info *);
  
-static struct demangle_component *d_identifier (struct d_info *, int);
+static struct demangle_component *d_identifier (struct d_info *, long);
  
  static struct demangle_component *d_operator_name (struct d_info *);
  
@@ -715,7 +715,7 @@ d_dump (struct demangle_component *dc, int indent)
      case DEMANGLE_COMPONENT_FIXED_TYPE:
        printf ("fixed-point type, accum? %d, sat? %d\n",
                dc->u.s_fixed.accum, dc->u.s_fixed.sat);
-      d_dump (dc->u.s_fixed.length, indent + 2)
+      d_dump (dc->u.s_fixed.length, indent + 2);
        break;
      case DEMANGLE_COMPONENT_ARGLIST:
        printf ("argument list\n");
@@ -1656,7 +1656,7 @@ d_number_component (struct d_info *di)
  /* identifier ::= <(unqualified source code identifier)>  */
  
  static struct demangle_component *
-d_identifier (struct d_info *di, int len)
+d_identifier (struct d_info *di, long len)
  {
    const char *name;
  
@@ -1677,7 +1677,7 @@ d_identifier (struct d_info *di, int len)
    /* Look for something which looks like a gcc encoding of an
       anonymous namespace, and replace it with a more user friendly
       name.  */
-  if (len >= (int) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2
+  if (len >= (long) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2
        && memcmp (name, ANONYMOUS_NAMESPACE_PREFIX,
                  ANONYMOUS_NAMESPACE_PREFIX_LEN) == 0)
      {
@@ -3163,6 +3163,8 @@ d_expression_1 (struct d_info *di)
        struct demangle_component *type = NULL;
        if (peek == 't')
         type = cplus_demangle_type (di);
+      if (!d_peek_next_char (di))
+       return NULL;
        d_advance (di, 2);
        return d_make_comp (di, DEMANGLE_COMPONENT_INITIALIZER_LIST,
                           type, d_exprlist (di, 'E'));
@@ -3237,6 +3239,8 @@ d_expression_1 (struct d_info *di)
             struct demangle_component *left;
             struct demangle_component *right;
  
+           if (code == NULL)
+             return NULL;
             if (op_is_new_cast (op))
               left = cplus_demangle_type (di);
             else
@@ -3264,7 +3268,9 @@ d_expression_1 (struct d_info *di)
             struct demangle_component *second;
             struct demangle_component *third;
  
-           if (!strcmp (code, "qu"))
+           if (code == NULL)
+             return NULL;
+           else if (!strcmp (code, "qu"))
               {
                 /* ?: expression.  */
                 first = d_expression_1 (di);
@@ -4184,6 +4190,9 @@ d_find_pack (struct d_print_info *dpi,
      case DEMANGLE_COMPONENT_CHARACTER:
      case DEMANGLE_COMPONENT_FUNCTION_PARAM:
      case DEMANGLE_COMPONENT_UNNAMED_TYPE:
+    case DEMANGLE_COMPONENT_FIXED_TYPE:
+    case DEMANGLE_COMPONENT_DEFAULT_ARG:
+    case DEMANGLE_COMPONENT_NUMBER:
        return NULL;
  
      case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
@@ -4419,6 +4428,11 @@ d_print_comp_inner (struct d_print_info *dpi, int options,
             local_name = d_right (typed_name);
             if (local_name->type == DEMANGLE_COMPONENT_DEFAULT_ARG)
               local_name = local_name->u.s_unary_num.sub;
+           if (local_name == NULL)
+             {
+               d_print_error (dpi);
+               return;
+             }
             while (local_name->type == DEMANGLE_COMPONENT_RESTRICT_THIS
                    || local_name->type == DEMANGLE_COMPONENT_VOLATILE_THIS
                    || local_name->type == DEMANGLE_COMPONENT_CONST_THIS
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected

index f8420efac901ecd4f40c191cee3867f2047c0e49..4f793c469670fe4868382a28070881a791db0d78 100644 (file)
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4091,6 +4091,36 @@ void g<1>(A<1>&, B<static_cast<bool>(1)>&)
  _ZNKSt7complexIiE4realB5cxx11Ev
  std::complex<int>::real[abi:cxx11]() const
  #
+# Some more crashes revealed by fuzz-testing:
+# Check for NULL pointer when demangling trinary operators
+--format=gnu-v3
+_Z1fAv32_f
+_Z1fAv32_f
+# Do not overflow when decoding identifier length
+--format=gnu-v3
+_Z11111111111
+_Z11111111111
+# Check out-of-bounds access when decoding braced initializer list
+--format=gnu-v3
+_ZDTtl
+_ZDTtl
+# Check for NULL pointer when demangling DEMANGLE_COMPONENT_LOCAL_NAME
+--format=gnu-v3
+_ZZN1fEEd_lEv
+_ZZN1fEEd_lEv
+# Handle DEMANGLE_COMPONENT_FIXED_TYPE in d_find_pack
+--format=gnu-v3
+_Z1fDpDFT_
+_Z1fDpDFT_
+# Likewise, DEMANGLE_COMPONENT_DEFAULT_ARG
+--format=gnu-v3
+_Z1fIDpZ1fEd_E
+_Z1fIDpZ1fEd_E
+# Likewise, DEMANGLE_COMPONENT_NUMBER
+--format=gnu-v3
+_Z1fDpDv1_c
+f((char __vector(1))...)
+#
  # Ada (GNAT) tests.
  #
  # Simple test.
author	Jakub Jelinek <jakub@redhat.com>
	Thu, 19 May 2016 12:02:19 +0000 (14:02 +0200)
committer	Jakub Jelinek <jakub@gcc.gnu.org>
	Thu, 19 May 2016 12:02:19 +0000 (14:02 +0200)
libiberty/ChangeLog		patch \| blob \| blame \| history
libiberty/cp-demangle.c		patch \| blob \| blame \| history
libiberty/testsuite/demangle-expected		patch \| blob \| blame \| history