[Bug demangler/103893] New: ada demangler heap overflow

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug demangler/103893] New: ada demangler heap overflow
@ 2022-01-03  1:59 amodra at gmail dot com
  2022-01-03  2:18 ` [Bug demangler/103893] " pinskia at gcc dot gnu.org
  0 siblings, 1 reply; 2+ messages in thread
From: amodra at gmail dot com @ 2022-01-03  1:59 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103893

            Bug ID: 103893
           Summary: ada demangler heap overflow
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: demangler
          Assignee: unassigned at gcc dot gnu.org
          Reporter: amodra at gmail dot com
  Target Milestone: ---

>From https://sourceware.org/bugzilla/show_bug.cgi?id=28736

valgrind c++filt -s gnat vfffffSO__fffSO

==1573233== Invalid write of size 1
==1573233==    at 0x4848DCC: strcpy (vg_replace_strmem.c:523)
==1573233==    by 0x72688C: ada_demangle (cplus-dem.c:338)
==1573233==    by 0x726ABA: cplus_demangle (cplus-dem.c:187)
==1573233==    by 0x4038E8: demangle_it (cxxfilt.c:66)
==1573233==    by 0x403AEC: main (cxxfilt.c:203)
==1573233==  Address 0x4a60057 is 0 bytes after a block of size 23 alloc'd
==1573233==    at 0x4842839: malloc (vg_replace_malloc.c:380)
==1573233==    by 0x737A6B: xmalloc (xmalloc.c:147)
==1573233==    by 0x726617: ada_demangle (cplus-dem.c:223)
==1573233==    by 0x726ABA: cplus_demangle (cplus-dem.c:187)
==1573233==    by 0x4038E8: demangle_it (cxxfilt.c:66)
==1573233==    by 0x403AEC: main (cxxfilt.c:203)

The following comment in cplus-dem.c:ada_demangle is false for fuzzed input,
specifically the part that says "they occur only once".

  /* Most of the demangling will trivially remove chars.  Operator names
     may add one char but because they are always preceeded by '__' which is
     replaced by '.', they eventually never expand the size.
     A few special names such as '___elabs' add a few chars (at most 7), but
     they occur only once.  */
  len0 = strlen (mangled) + 7 + 1;
  demangled = XNEWVEC (char, len0);

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [Bug demangler/103893] ada demangler heap overflow
  2022-01-03  1:59 [Bug demangler/103893] New: ada demangler heap overflow amodra at gmail dot com
@ 2022-01-03  2:18 ` pinskia at gcc dot gnu.org
  0 siblings, 0 replies; 2+ messages in thread
From: pinskia at gcc dot gnu.org @ 2022-01-03  2:18 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103893

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Dup of bug 92453. A patch was posted even.

*** This bug has been marked as a duplicate of bug 92453 ***

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-01-03  2:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-03  1:59 [Bug demangler/103893] New: ada demangler heap overflow amodra at gmail dot com
2022-01-03  2:18 ` [Bug demangler/103893] " pinskia at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).