Bug found in libiberty by Coverity software

Bug found in libiberty by Coverity software

[Kevin MacDonell]

Coverity has found a long-standing potential issue in this file:

File:		cp-demangle.c
Function:	d_print_comp

The problem is that the while loop below executes until 'typed_name ==
NULL'.  Then immediately after the loop, typed_name is dereferenced.  If
the loop exits when typed_name is NULL, dereferencing it should cause a
crash.

It is possible that this condition is never encountered if the break at
line 2735 is always taken.

The fix would be a check for typed_name == NULL at the termination of
the while loop, and deal with it appropriately.

Best regards,

Kevin

----------<CLIP>-----------------------------------

2716 		typed_name = d_left (dc);
Event var_compare_op: Added "typed_name" due to comparison "typed_name
!= 0"
At conditional (1): "typed_name != 0" taking false path
2717 		while (typed_name != NULL)
2718 		  {
2719 		    if (i >= sizeof adpm / sizeof adpm[0])
2720 		      {
2721 			d_print_error (dpi);
2722 			return;
2723 		      }
2724 	
2725 		    adpm[i].next = dpi->modifiers;
2726 		    dpi->modifiers = &adpm[i];
2727 		    adpm[i].mod = typed_name;
2728 		    adpm[i].printed = 0;
2729 		    adpm[i].templates = dpi->templates;
2730 		    ++i;
2731 	
2732 		    if (typed_name->type !=
DEMANGLE_COMPONENT_RESTRICT_THIS
2733 			&& typed_name->type !=
DEMANGLE_COMPONENT_VOLATILE_THIS
2734 			&& typed_name->type !=
DEMANGLE_COMPONENT_CONST_THIS)
2735 		      break;
2736 	
2737 		    typed_name = d_left (typed_name);
2738 		  }
2739 	
2740 		/* If typed_name is a template, then it applies to the
2741 		   function type as well.  */
Event var_deref_op: Variable "typed_name" tracked as NULL was
dereferenced.
2742 		if (typed_name->type == DEMANGLE_COMPONENT_TEMPLATE)
2743 		  {
2744 		    dpt.next = dpi->templates;
2745 		    dpi->templates = &dpt;
2746 		    dpt.template_decl = typed_name;
2747 		  }