[PATCH 06/10] libiberty: Correctly handle error result in dlang_parse

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

* [PATCH 06/10] libiberty: Correctly handle error result in dlang_parse_arrayliteral()
@ 2019-01-11  0:17 Ben L
  2019-04-30 14:36 ` Jeff Law
  0 siblings, 1 reply; 2+ messages in thread
From: Ben L @ 2019-01-11  0:17 UTC (permalink / raw)
  To: gcc-patches

[-- Attachment #1: Type: text/plain, Size: 994 bytes --]

Hi all,

First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
there's obvious errors repeated in my patches. AFAICT I should be sending each
change individually rather than as one bulk patch, so I'm sorry about the spam
too.

All of these changes were found by fuzzing libiberty's demanglers over the
past week, and I have at least one more that it's currently crashing out on
but I haven't had time to look into why yet.

Obviously since this is my first time emailing I don't have write access to
commit any of these, so if any are approved then I'd be grateful if you can
commit them too.

Thanks,
Ben

--

The number of elements were being taken as valid and for each one a separator
was appended to the output, resulting in a huge memory bloat before crashing
later on due to a signed integer overflow.

     * d-demangle.c (dlang_parse_arrayliteral): Correctly handle error result.
     * testsuite/d-demangle-expected: Add testcase.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0006-libiberty-Correctly-handle-error-result-in-dlang_par.patch --]
[-- Type: text/x-patch; name="0006-libiberty-Correctly-handle-error-result-in-dlang_par.patch", Size: 1537 bytes --]

From 8eca61f41b70891f4e2c456c4a12c06d3b4f3a3f Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 9 Jan 2019 22:33:27 +0000
Subject: [PATCH 06/10] libiberty: Correctly handle error result in
 dlang_parse_arrayliteral().

The number of elements were being taken as valid and for each one a separator
was appended to the output, resulting in a huge memory bloat before crashing
later on due to a signed integer overflow.

    * d-demangle.c (dlang_parse_arrayliteral): Correctly handle error result.
    * testsuite/d-demangle-expected: Add testcase.

diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
index 114d9e0..303d2ee 100644
--- a/libiberty/d-demangle.c
+++ b/libiberty/d-demangle.c
@@ -1191,6 +1191,9 @@ dlang_parse_arrayliteral (string *decl, const char *mangled)
   while (elements--)
     {
       mangled = dlang_value (decl, mangled, NULL, '\0');
+      if (mangled == NULL)
+	return NULL;
+
       if (elements != 0)
 	string_append (decl, ", ");
     }
diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected
index 9988238..19665f5 100644
--- a/libiberty/testsuite/d-demangle-expected
+++ b/libiberty/testsuite/d-demangle-expected
@@ -1310,3 +1310,7 @@ core.demangle.mangle!(void*() function).mangle(const(char)[], char[]).DotSplitte
 --format=dlang
 _D8__T2fnVa8888888888888_
 _D8__T2fnVa8888888888888_
+# Could crash
+--format=dlang
+_D5__T2fnVmA1A1A911111111D
+_D5__T2fnVmA1A1A911111111D
-- 
2.20.1

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH 06/10] libiberty: Correctly handle error result in dlang_parse_arrayliteral()
  2019-01-11  0:17 [PATCH 06/10] libiberty: Correctly handle error result in dlang_parse_arrayliteral() Ben L
@ 2019-04-30 14:36 ` Jeff Law
  0 siblings, 0 replies; 2+ messages in thread
From: Jeff Law @ 2019-04-30 14:36 UTC (permalink / raw)
  To: Ben L, gcc-patches

On 1/10/19 5:17 PM, Ben L wrote:
> Hi all,
> 
> First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
> there's obvious errors repeated in my patches. AFAICT I should be sending each
> change individually rather than as one bulk patch, so I'm sorry about the spam
> too.
> 
> All of these changes were found by fuzzing libiberty's demanglers over the
> past week, and I have at least one more that it's currently crashing out on
> but I haven't had time to look into why yet.
> 
> Obviously since this is my first time emailing I don't have write access to
> commit any of these, so if any are approved then I'd be grateful if you can
> commit them too.
> 
> Thanks,
> Ben
> 
> --
> 
> The number of elements were being taken as valid and for each one a separator
> was appended to the output, resulting in a huge memory bloat before crashing
> later on due to a signed integer overflow.
> 
>      * d-demangle.c (dlang_parse_arrayliteral): Correctly handle error result.
>      * testsuite/d-demangle-expected: Add testcase.
> 
Thanks.  Installed on the trunk.

jeff

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-04-30 14:35 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-11  0:17 [PATCH 06/10] libiberty: Correctly handle error result in dlang_parse_arrayliteral() Ben L
2019-04-30 14:36 ` Jeff Law

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).