public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "Kevin MacDonell" <Kevin.MacDonell@access-company.com>
To: <gcc-bugs@gcc.gnu.org>
Subject: Bug found in libiberty by Coverity software
Date: Tue, 20 May 2008 15:06:00 -0000 [thread overview]
Message-ID: <1C55F512CB2C824EA9E49BC48C539C16746A79@ussunex01.svl.access-company.com> (raw)
Coverity has found a long-standing potential issue in this file:
File: cp-demangle.c
Function: d_print_comp
The problem is that the while loop below executes until 'typed_name ==
NULL'. Then immediately after the loop, typed_name is dereferenced. If
the loop exits when typed_name is NULL, dereferencing it should cause a
crash.
It is possible that this condition is never encountered if the break at
line 2735 is always taken.
The fix would be a check for typed_name == NULL at the termination of
the while loop, and deal with it appropriately.
Best regards,
Kevin
----------<CLIP>-----------------------------------
2716 typed_name = d_left (dc);
Event var_compare_op: Added "typed_name" due to comparison "typed_name
!= 0"
At conditional (1): "typed_name != 0" taking false path
2717 while (typed_name != NULL)
2718 {
2719 if (i >= sizeof adpm / sizeof adpm[0])
2720 {
2721 d_print_error (dpi);
2722 return;
2723 }
2724
2725 adpm[i].next = dpi->modifiers;
2726 dpi->modifiers = &adpm[i];
2727 adpm[i].mod = typed_name;
2728 adpm[i].printed = 0;
2729 adpm[i].templates = dpi->templates;
2730 ++i;
2731
2732 if (typed_name->type !=
DEMANGLE_COMPONENT_RESTRICT_THIS
2733 && typed_name->type !=
DEMANGLE_COMPONENT_VOLATILE_THIS
2734 && typed_name->type !=
DEMANGLE_COMPONENT_CONST_THIS)
2735 break;
2736
2737 typed_name = d_left (typed_name);
2738 }
2739
2740 /* If typed_name is a template, then it applies to the
2741 function type as well. */
Event var_deref_op: Variable "typed_name" tracked as NULL was
dereferenced.
2742 if (typed_name->type == DEMANGLE_COMPONENT_TEMPLATE)
2743 {
2744 dpt.next = dpi->templates;
2745 dpi->templates = &dpt;
2746 dpt.template_decl = typed_name;
2747 }
reply other threads:[~2008-05-20 15:06 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1C55F512CB2C824EA9E49BC48C539C16746A79@ussunex01.svl.access-company.com \
--to=kevin.macdonell@access-company.com \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).