public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c++/99189] New: cxxfilt may exist a uaf
@ 2021-02-22  3:06 zyt1024 at bupt dot edu.cn
  2021-02-22  9:53 ` [Bug demangler/99189] " marxin at gcc dot gnu.org
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22  3:06 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99189

            Bug ID: 99189
           Summary: cxxfilt may exist a uaf
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: zyt1024 at bupt dot edu.cn
  Target Milestone: ---

In the version 2.26 of cxxfilt, Valgrind reports an invalid write of size 4.

# valgrind ./cxxfilt `cat
cxxfilt_12.29-12.30-24h-run3/error_level/level-2-26-g64.txt`
==24019== Memcheck, a memory error detector
==24019== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==24019== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==24019== Command: ./cxxfilt ._Q0AEQW__Jd3__^xewx_v6_$_[_O_2C__:
==24019==
==24019== Invalid write of size 4
==24019==    at 0x813A8E5: register_Btype (cplus-dem.c:4319)
==24019==    by 0x8139F8C: demangle_fund_type (cplus-dem.c:4015)
==24019==    by 0x813984F: do_type (cplus-dem.c:3811)
==24019==    by 0x813A5B4: do_arg (cplus-dem.c:4231)
==24019==    by 0x813ADA9: demangle_args (cplus-dem.c:4514)
==24019==    by 0x8135A90: demangle_signature (cplus-dem.c:1642)
==24019==    by 0x8134D07: internal_cplus_demangle (cplus-dem.c:1203)
==24019==    by 0x8134466: cplus_demangle (cplus-dem.c:886)
==24019==    by 0x8049A23: demangle_it (cxxfilt.c:62)
==24019==    by 0x8049E21: main (cxxfilt.c:227)
==24019==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==24019==
==24019==
..

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug demangler/99189] cxxfilt may exist a uaf
  2021-02-22  3:06 [Bug c++/99189] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
@ 2021-02-22  9:53 ` marxin at gcc dot gnu.org
  2021-02-22 10:01 ` zyt1024 at bupt dot edu.cn
  2021-02-22 10:09 ` marxin at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-02-22  9:53 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99189

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |WAITING
   Last reconfirmed|                            |2021-02-22
                 CC|                            |marxin at gcc dot gnu.org

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Please attach the input.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug demangler/99189] cxxfilt may exist a uaf
  2021-02-22  3:06 [Bug c++/99189] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
  2021-02-22  9:53 ` [Bug demangler/99189] " marxin at gcc dot gnu.org
@ 2021-02-22 10:01 ` zyt1024 at bupt dot edu.cn
  2021-02-22 10:09 ` marxin at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22 10:01 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99189

--- Comment #2 from zhangyuntao <zyt1024 at bupt dot edu.cn> ---
Created attachment 50231
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50231&action=edit
PoC

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug demangler/99189] cxxfilt may exist a uaf
  2021-02-22  3:06 [Bug c++/99189] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
  2021-02-22  9:53 ` [Bug demangler/99189] " marxin at gcc dot gnu.org
  2021-02-22 10:01 ` zyt1024 at bupt dot edu.cn
@ 2021-02-22 10:09 ` marxin at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-02-22 10:09 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99189

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW
           Keywords|                            |ice-on-invalid-code

--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
Ok, the input is a garbage.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-02-22 10:09 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-22  3:06 [Bug c++/99189] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
2021-02-22  9:53 ` [Bug demangler/99189] " marxin at gcc dot gnu.org
2021-02-22 10:01 ` zyt1024 at bupt dot edu.cn
2021-02-22 10:09 ` marxin at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).