public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* Bug found in libiberty by Coverity software
@ 2008-05-20 15:06 Kevin MacDonell
0 siblings, 0 replies; only message in thread
From: Kevin MacDonell @ 2008-05-20 15:06 UTC (permalink / raw)
To: gcc-bugs
Coverity has found a long-standing potential issue in this file:
File: cp-demangle.c
Function: d_print_comp
The problem is that the while loop below executes until 'typed_name ==
NULL'. Then immediately after the loop, typed_name is dereferenced. If
the loop exits when typed_name is NULL, dereferencing it should cause a
crash.
It is possible that this condition is never encountered if the break at
line 2735 is always taken.
The fix would be a check for typed_name == NULL at the termination of
the while loop, and deal with it appropriately.
Best regards,
Kevin
----------<CLIP>-----------------------------------
2716 typed_name = d_left (dc);
Event var_compare_op: Added "typed_name" due to comparison "typed_name
!= 0"
At conditional (1): "typed_name != 0" taking false path
2717 while (typed_name != NULL)
2718 {
2719 if (i >= sizeof adpm / sizeof adpm[0])
2720 {
2721 d_print_error (dpi);
2722 return;
2723 }
2724
2725 adpm[i].next = dpi->modifiers;
2726 dpi->modifiers = &adpm[i];
2727 adpm[i].mod = typed_name;
2728 adpm[i].printed = 0;
2729 adpm[i].templates = dpi->templates;
2730 ++i;
2731
2732 if (typed_name->type !=
DEMANGLE_COMPONENT_RESTRICT_THIS
2733 && typed_name->type !=
DEMANGLE_COMPONENT_VOLATILE_THIS
2734 && typed_name->type !=
DEMANGLE_COMPONENT_CONST_THIS)
2735 break;
2736
2737 typed_name = d_left (typed_name);
2738 }
2739
2740 /* If typed_name is a template, then it applies to the
2741 function type as well. */
Event var_deref_op: Variable "typed_name" tracked as NULL was
dereferenced.
2742 if (typed_name->type == DEMANGLE_COMPONENT_TEMPLATE)
2743 {
2744 dpt.next = dpi->templates;
2745 dpi->templates = &dpt;
2746 dpt.template_decl = typed_name;
2747 }
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-05-20 15:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-05-20 15:06 Bug found in libiberty by Coverity software Kevin MacDonell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).