[Bug driver/112983] New: gcc.cc: do_spec_1, ICE if missing '}' for %x{...}

[Bug driver/112983] New: gcc.cc: do_spec_1, ICE if missing '}' for %x{...}

[pexu@gcc-bugzilla.mail.kapsi.fi]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112983

            Bug ID: 112983
           Summary: gcc.cc: do_spec_1, ICE if missing '}' for %x{...}
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: driver
          Assignee: unassigned at gcc dot gnu.org
          Reporter: pexu@gcc-bugzilla.mail.kapsi.fi
  Target Milestone: ---

Hi.

# cat bracegracemisery.specs
*self_spec: %x{
# gcc --specs=bracegracemisery.specs -E - < /dev/null > /dev/null
Segmentation fault (core dumped)

Happens because when looking for the terminating '}' character the loop
condition does not check if the input buffer runs out.

gcc.cc:
https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/gcc.cc;h=701f5cdfb59c8f60c9c9bee310ef9de03d1ece27;hb=refs/heads/master#l6683
6683:         while (*p++ != '}')
6684:           ;

Due to memory layout reproducing this might be difficult (or impossible) or
yield other diagnosted errors (should the out of bounds read contain the
terminating character prior an invalid memory location is accessed).

[Bug driver/112983] gcc.cc: do_spec_1, ICE if missing '}' for %x{...}

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112983

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2023-12-12
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |NEW
      Known to fail|                            |2.95

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Confirmed, this code has been there since the driver code was added to revision
control back in 1992.