[PATCH 05/10] libiberty: Fix stack underflow in dlang_parse

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

* [PATCH 05/10] libiberty: Fix stack underflow in dlang_parse_integer()
@ 2019-01-11  0:17 Ben L
  2019-04-30 14:35 ` Jeff Law
  0 siblings, 1 reply; 2+ messages in thread
From: Ben L @ 2019-01-11  0:17 UTC (permalink / raw)
  To: gcc-patches

[-- Attachment #1: Type: text/plain, Size: 1054 bytes --]

Hi all,

First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
there's obvious errors repeated in my patches. AFAICT I should be sending each
change individually rather than as one bulk patch, so I'm sorry about the spam
too.

All of these changes were found by fuzzing libiberty's demanglers over the
past week, and I have at least one more that it's currently crashing out on
but I haven't had time to look into why yet.

Obviously since this is my first time emailing I don't have write access to
commit any of these, so if any are approved then I'd be grateful if you can
commit them too.

Thanks,
Ben

--

A char array of size 10 was created on the stack to hold the decimal
representation of a long, which on my platform is 64 bits and hence has a
maximum value of 9223372036854775807, far exceeding 10 characters.

Fix this by bumping the size of the array to 20 characters.

     * d-demangle.c (dlang_parse_integer): Fix stack underflow.
     * testsuite/d-demangle-expected: Add testcase.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0005-libiberty-Fix-stack-underflow-in-dlang_parse_integer.patch --]
[-- Type: text/x-patch; name="0005-libiberty-Fix-stack-underflow-in-dlang_parse_integer.patch", Size: 2072 bytes --]

From 56a6202c87543dbf0a15d99e4dcb01507bf70f57 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 9 Jan 2019 22:24:19 +0000
Subject: [PATCH 05/10] libiberty: Fix stack underflow in
 dlang_parse_integer().

A char array of size 10 was created on the stack to hold the decimal
representation of a long, which on my platform is 64 bits and hence has a
maximum value of 9223372036854775807, far exceeding 10 characters.

Fix this by bumping the size of the array to 20 characters.

    * d-demangle.c (dlang_parse_integer): Fix stack underflow.
    * testsuite/d-demangle-expected: Add testcase.

diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
index 8acbf04..114d9e0 100644
--- a/libiberty/d-demangle.c
+++ b/libiberty/d-demangle.c
@@ -939,8 +939,8 @@ dlang_parse_integer (string *decl, const char *mangled, char type)
   if (type == 'a' || type == 'u' || type == 'w')
     {
       /* Parse character value.  */
-      char value[10];
-      int pos = 10;
+      char value[20];
+      int pos = sizeof(value);
       int width = 0;
       long val;

@@ -991,7 +991,7 @@ dlang_parse_integer (string *decl, const char *mangled, char type)
 	  for (; width > 0; width--)
 	    value[--pos] = '0';

-	  string_appendn (decl, &(value[pos]), 10 - pos);
+	  string_appendn (decl, &(value[pos]), sizeof(value) - pos);
 	}
       string_append (decl, "'");
     }
diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected
index 547a2dd..9988238 100644
--- a/libiberty/testsuite/d-demangle-expected
+++ b/libiberty/testsuite/d-demangle-expected
@@ -1306,3 +1306,7 @@ rt.lifetime._d_newarrayOpT!(_d_newarrayiT)._d_newarrayOpT(const(TypeInfo), ulong
 --format=dlang
 _D4core8demangle16__T6mangleTFZPvZ6mangleFNaNbNfAxaAaZ11DotSplitter5emptyMxFNaNbNdNiNfZb
 core.demangle.mangle!(void*() function).mangle(const(char)[], char[]).DotSplitter.empty() const
+# Could crash
+--format=dlang
+_D8__T2fnVa8888888888888_
+_D8__T2fnVa8888888888888_
-- 
2.20.1

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH 05/10] libiberty: Fix stack underflow in dlang_parse_integer()
  2019-01-11  0:17 [PATCH 05/10] libiberty: Fix stack underflow in dlang_parse_integer() Ben L
@ 2019-04-30 14:35 ` Jeff Law
  0 siblings, 0 replies; 2+ messages in thread
From: Jeff Law @ 2019-04-30 14:35 UTC (permalink / raw)
  To: Ben L, gcc-patches

On 1/10/19 5:17 PM, Ben L wrote:
> Hi all,
> 
> First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
> there's obvious errors repeated in my patches. AFAICT I should be sending each
> change individually rather than as one bulk patch, so I'm sorry about the spam
> too.
> 
> All of these changes were found by fuzzing libiberty's demanglers over the
> past week, and I have at least one more that it's currently crashing out on
> but I haven't had time to look into why yet.
> 
> Obviously since this is my first time emailing I don't have write access to
> commit any of these, so if any are approved then I'd be grateful if you can
> commit them too.
> 
> Thanks,
> Ben
> 
> --
> 
> A char array of size 10 was created on the stack to hold the decimal
> representation of a long, which on my platform is 64 bits and hence has a
> maximum value of 9223372036854775807, far exceeding 10 characters.
> 
> Fix this by bumping the size of the array to 20 characters.
> 
>      * d-demangle.c (dlang_parse_integer): Fix stack underflow.
>      * testsuite/d-demangle-expected: Add testcase.
> 
THanks.  I've installed this on the trunk.
jeff

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-04-30 14:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-11  0:17 [PATCH 05/10] libiberty: Fix stack underflow in dlang_parse_integer() Ben L
2019-04-30 14:35 ` Jeff Law

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).