https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92453
Bug ID: 92453
Summary: write buffer overflow in cplus_demangle()
Product: gcc
Version: 9.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: tim.ruehsen at gmx dot de
Target Milestone: ---
The following code, compiled in libiberty/ causes a write buffer overflow in
cplus_demangle().
### repro1.c ###
#include "../include/demangle.h"
void main(void)
{
cplus_demangle("a_dSO__dSO__d_d", DMGL_GNAT);
}
###
gcc repro1.c -o repro1 libiberty.a
valgrind ./repro1
==4906== Invalid write of size 1
==4906== at 0x10B763: ada_demangle (cplus-dem.c:477)
==4906== by 0x10B8CE: cplus_demangle (cplus-dem.c:195)
==4906== by 0x10B219: main (in /home/tim/src/binutils-gdb/libiberty/repro1)
==4906== Address 0x4a4e057 is 0 bytes after a block of size 23 alloc'd
==4906== at 0x483577F: malloc (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==4906== by 0x1184F0: xmalloc (xmalloc.c:147)
==4906== by 0x10B372: ada_demangle (cplus-dem.c:252)
==4906== by 0x10B8CE: cplus_demangle (cplus-dem.c:195)
==4906== by 0x10B219: main (in /home/tim/src/binutils-gdb/libiberty/repro1)
