https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103893
Bug ID: 103893
Summary: ada demangler heap overflow
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: amodra at gmail dot com
Target Milestone: ---
>From https://sourceware.org/bugzilla/show_bug.cgi?id=28736
valgrind c++filt -s gnat vfffffSO__fffSO
==1573233== Invalid write of size 1
==1573233== at 0x4848DCC: strcpy (vg_replace_strmem.c:523)
==1573233== by 0x72688C: ada_demangle (cplus-dem.c:338)
==1573233== by 0x726ABA: cplus_demangle (cplus-dem.c:187)
==1573233== by 0x4038E8: demangle_it (cxxfilt.c:66)
==1573233== by 0x403AEC: main (cxxfilt.c:203)
==1573233== Address 0x4a60057 is 0 bytes after a block of size 23 alloc'd
==1573233== at 0x4842839: malloc (vg_replace_malloc.c:380)
==1573233== by 0x737A6B: xmalloc (xmalloc.c:147)
==1573233== by 0x726617: ada_demangle (cplus-dem.c:223)
==1573233== by 0x726ABA: cplus_demangle (cplus-dem.c:187)
==1573233== by 0x4038E8: demangle_it (cxxfilt.c:66)
==1573233== by 0x403AEC: main (cxxfilt.c:203)
The following comment in cplus-dem.c:ada_demangle is false for fuzzed input,
specifically the part that says "they occur only once".
/* Most of the demangling will trivially remove chars. Operator names
may add one char but because they are always preceeded by '__' which is
replaced by '.', they eventually never expand the size.
A few special names such as '___elabs' add a few chars (at most 7), but
they occur only once. */
len0 = strlen (mangled) + 7 + 1;
demangled = XNEWVEC (char, len0);
