https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103893
Bug ID: 103893 Summary: ada demangler heap overflow Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: demangler Assignee: unassigned at gcc dot gnu.org Reporter: amodra at gmail dot com Target Milestone: --- >From https://sourceware.org/bugzilla/show_bug.cgi?id=28736 valgrind c++filt -s gnat vfffffSO__fffSO ==1573233== Invalid write of size 1 ==1573233== at 0x4848DCC: strcpy (vg_replace_strmem.c:523) ==1573233== by 0x72688C: ada_demangle (cplus-dem.c:338) ==1573233== by 0x726ABA: cplus_demangle (cplus-dem.c:187) ==1573233== by 0x4038E8: demangle_it (cxxfilt.c:66) ==1573233== by 0x403AEC: main (cxxfilt.c:203) ==1573233== Address 0x4a60057 is 0 bytes after a block of size 23 alloc'd ==1573233== at 0x4842839: malloc (vg_replace_malloc.c:380) ==1573233== by 0x737A6B: xmalloc (xmalloc.c:147) ==1573233== by 0x726617: ada_demangle (cplus-dem.c:223) ==1573233== by 0x726ABA: cplus_demangle (cplus-dem.c:187) ==1573233== by 0x4038E8: demangle_it (cxxfilt.c:66) ==1573233== by 0x403AEC: main (cxxfilt.c:203) The following comment in cplus-dem.c:ada_demangle is false for fuzzed input, specifically the part that says "they occur only once". /* Most of the demangling will trivially remove chars. Operator names may add one char but because they are always preceeded by '__' which is replaced by '.', they eventually never expand the size. A few special names such as '___elabs' add a few chars (at most 7), but they occur only once. */ len0 = strlen (mangled) + 7 + 1; demangled = XNEWVEC (char, len0);