From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ibuclaw@gdcproject.org>
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org
 [IPv6:2001:67c:2050::465:202])
 by sourceware.org (Postfix) with ESMTPS id F17633858D39
 for <gcc-patches@gcc.gnu.org>; Thu, 23 Sep 2021 10:16:47 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org F17633858D39
Received: from smtp202.mailbox.org (smtp202.mailbox.org [80.241.60.245])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4HFWKn3RvRzQkFS;
 Thu, 23 Sep 2021 12:16:45 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Date: Thu, 23 Sep 2021 12:16:35 +0200 (CEST)
From: ibuclaw@gdcproject.org
To: lsferreira@riseup.net,
 =?UTF-8?Q?Lu=C3=ADs_Ferreira?= <contact@lsferreira.net>,
 gcc-patches@gcc.gnu.org
Message-ID: <455464371.70186.1632392201366@office.mailbox.org>
In-Reply-To: <f4f09ee47c03316cdcb7016223b9a4ff1a7dbe77.camel@lsferreira.net>
References: <f4f09ee47c03316cdcb7016223b9a4ff1a7dbe77.camel@lsferreira.net>
Subject: Re: [PATCH] libiberty: prevent buffer overflow when decoding user
 input
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-Rspamd-Queue-Id: 5F773353
X-Spam-Status: No, score=-14.6 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2021 10:16:49 -0000

> On 22/09/2021 03:10 Lu=C3=ADs Ferreira <contact@lsferreira.net> wrote:
>=20
> =20
> Currently a stack/heap overflow may happen if a crafted mangle is
> maliciously used to cause denial of service, such as intentional
> crashes
> by accessing a reserved memory space.
>=20

Hi,

Thanks for this.  Is there a test that could trigger this code path?

Iain.


> Signed-off-by: Lu=C3=ADs Ferreira <contact@lsferreira.net>
> ---
>  libiberty/d-demangle.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>=20
> diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
> index a2152cc65518..7ded3e2a2563 100644
> --- a/libiberty/d-demangle.c
> +++ b/libiberty/d-demangle.c
> @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char
> *mangled,
> =20
>    /* Must point to a simple identifier.  */
>    backref =3D dlang_number (backref, &len);
> -  if (backref =3D=3D NULL)
> +  if (backref =3D=3D NULL || strlen(backref) < len)
>      return NULL;
> =20
>    backref =3D dlang_lname (decl, backref, len);