[Bug c++/70481] [Regression] Libiberty Demangler segfaults
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 --- Comment #6 from Jakub Jelinek --- Author: jakub Date: Thu May 19 12:05:41 2016 New Revision: 236456 URL: https://gcc.gnu.org/viewcvs?rev=236456&root=gcc&view=rev Log: Backported from mainline 2016-05-19 Jakub Jelinek PR c++/70498 * cp-demangle.c (d_expression_1): Formatting fix. 2016-05-02 Marcel Böhme PR c++/70498 * cp-demangle.c: Parse numbers as integer instead of long to avoid overflow after sanity checks. Include if available. (INT_MAX): Define if necessary. (d_make_template_param): Takes integer argument instead of long. (d_make_function_param): Likewise. (d_append_num): Likewise. (d_identifier): Likewise. (d_number): Parse as and return integer. (d_compact_number): Handle overflow. (d_source_name): Change variable type to integer for parsed number. (d_java_resource): Likewise. (d_special_name): Likewise. (d_discriminator): Likewise. (d_unnamed_type): Likewise. * testsuite/demangle-expected: Add regression test cases. 2016-04-08 Marcel Böhme PR c++/69687 * cplus-dem.c: Include if available. (INT_MAX): Define if necessary. (remember_type, remember_Ktype, register_Btype, string_need): Abort if we detect cases where we the size of the allocation would overflow. PR c++/70492 * cplus-dem.c (gnu_special): Handle case where consume_count returns -1. 2016-03-31 Mikhail Maltsev Marcel Bohme PR c++/67394 PR c++/70481 * cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing btypevec/ktypevec. * testsuite/demangle-expected: Add coverage tests. Modified: branches/gcc-4_9-branch/libiberty/ChangeLog branches/gcc-4_9-branch/libiberty/cp-demangle.c branches/gcc-4_9-branch/libiberty/cplus-dem.c branches/gcc-4_9-branch/libiberty/testsuite/demangle-expected
[Bug c++/70481] [Regression] Libiberty Demangler segfaults
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 --- Comment #5 from Jakub Jelinek --- Author: jakub Date: Thu May 19 10:44:31 2016 New Revision: 236452 URL: https://gcc.gnu.org/viewcvs?rev=236452&root=gcc&view=rev Log: Backported from mainline 2016-05-19 Jakub Jelinek PR c++/70498 * cp-demangle.c (d_expression_1): Formatting fix. 2016-05-02 Marcel Böhme PR c++/70498 * cp-demangle.c: Parse numbers as integer instead of long to avoid overflow after sanity checks. Include if available. (INT_MAX): Define if necessary. (d_make_template_param): Takes integer argument instead of long. (d_make_function_param): Likewise. (d_append_num): Likewise. (d_identifier): Likewise. (d_number): Parse as and return integer. (d_compact_number): Handle overflow. (d_source_name): Change variable type to integer for parsed number. (d_java_resource): Likewise. (d_special_name): Likewise. (d_discriminator): Likewise. (d_unnamed_type): Likewise. * testsuite/demangle-expected: Add regression test cases. 2016-04-08 Marcel Böhme PR c++/69687 * cplus-dem.c: Include if available. (INT_MAX): Define if necessary. (remember_type, remember_Ktype, register_Btype, string_need): Abort if we detect cases where we the size of the allocation would overflow. PR c++/70492 * cplus-dem.c (gnu_special): Handle case where consume_count returns -1. 2016-03-31 Mikhail Maltsev Marcel Bohme PR c++/67394 PR c++/70481 * cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing btypevec/ktypevec. * testsuite/demangle-expected: Add coverage tests. Modified: branches/gcc-5-branch/libiberty/ChangeLog branches/gcc-5-branch/libiberty/cp-demangle.c branches/gcc-5-branch/libiberty/cplus-dem.c branches/gcc-5-branch/libiberty/testsuite/demangle-expected
[Bug c++/70481] [Regression] Libiberty Demangler segfaults
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 Jeffrey A. Law changed: What|Removed |Added CC||brian.carpenter at gmail dot com --- Comment #4 from Jeffrey A. Law --- *** Bug 67394 has been marked as a duplicate of this bug. ***
[Bug c++/70481] [Regression] Libiberty Demangler segfaults
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 Jeffrey A. Law changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||law at redhat dot com Resolution|--- |FIXED --- Comment #3 from Jeffrey A. Law --- Fixed on the trunk.
[Bug c++/70481] [Regression] Libiberty Demangler segfaults
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 --- Comment #2 from Marcel Böhme --- These are two distinct bugs. During fuzzing the btypevec bug appears more often. But it seemed less critical since only NULL is written to the freed memory: work -> btypevec[ret] = NULL; On the other hand, the ktypevec bug allows to write arbitrary content to the freed memory: work -> ktypevec[work -> numk++] = tem; where tem is "cafebabe." I used a more efficient version of the AFL fuzzer. Interestingly, I submitted the same patch: https://gcc.gnu.org/ml/gcc-patches/2016-03/msg01687.html
[Bug c++/70481] [Regression] Libiberty Demangler segfaults
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 Mikhail Maltsev changed: What|Removed |Added CC||miyuki at gcc dot gnu.org --- Comment #1 from Mikhail Maltsev --- Likely a dup of PR67394