[Bug other/22268] New: libiberty demanger crashes on (invalid) mangled name

[Bug other/22268] New: libiberty demanger crashes on (invalid) mangled name

[sb at biallas dot net]

I use the libiberty c++ name demangler for unmangling symbols. Since I don't
know whether the symbols are really mangled, the demangler will sometimes see
names which are either mangled with a completely different mangler or even not
mangled at all. 

This is quite a good stress test for the demangler and I've encountered a symbol
name on which it fails (crashes). The symbol is "ALsetchannels" which will be
regarded as an array type ('A') with exp-primary ('L'). But the exp-primary
end-marker ('E') is missing, this will result in an endless loop in
d_expr_primary(): 

2337  while (d_peek_char (di) != 'E')
2338	d_advance (di, 1);

Example program showing crash (or other undefined behaviour):

#include "demangle.h"
int main()
{
cplus_demangle_v3("ALsetchannels", DMGL_PARAMS | DMGL_ANSI | DMGL_TYPES);
return 0;
}

-- 
           Summary: libiberty demanger crashes on (invalid) mangled name
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: other
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: sb at biallas dot net
                CC: gcc-bugs at gcc dot gnu dot org


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=22268

[Bug other/22268] libiberty demanger crashes on (invalid) mangled name

[sb at biallas dot net]

------- Additional Comments From sb at biallas dot net  2005-07-01 15:11 -------
Created an attachment (id=9189)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=9189&action=view)
proposed patch

Patch against my local copy of cp-demangle.c
Should apply cleanly to the CVS version of libiberty.

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=22268

[Bug other/22268] libiberty demanger crashes on (invalid) mangled name

[pinskia at gcc dot gnu dot org]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ian at airs dot com


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=22268

[Bug other/22268] libiberty demanger crashes on (invalid) mangled name

[cvs-commit at gcc dot gnu dot org]

------- Additional Comments From cvs-commit at gcc dot gnu dot org  2005-07-01 16:39 -------
Subject: Bug 22268

CVSROOT:	/cvs/gcc
Module name:	gcc
Changes by:	ian@gcc.gnu.org	2005-07-01 16:39:36

Modified files:
	libiberty      : ChangeLog cp-demangle.c 
	libiberty/testsuite: demangle-expected 

Log message:
	PR other/22268
	* cp-demangle.c (d_expr_primary): Don't run off the end of the
	string while looking for the end of a literal value.
	* testsuite/demangle-expected: Add test case.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libiberty/ChangeLog.diff?cvsroot=gcc&r1=1.586&r2=1.587
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libiberty/cp-demangle.c.diff?cvsroot=gcc&r1=1.82&r2=1.83
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/libiberty/testsuite/demangle-expected.diff?cvsroot=gcc&r1=1.32&r2=1.33



-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=22268

[Bug other/22268] libiberty demanger crashes on (invalid) mangled name

[ian at airs dot com]

------- Additional Comments From ian at airs dot com  2005-07-01 16:42 -------
Thanks for the test case and the patch.  I have committed a slightly different
patch, which should also fix the problem.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |4.1.0


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=22268