[Bug c++/70481] [Regression] Libiberty Demangler segfaults

2016-05-19 Thread jakub at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

--- Comment #6 from Jakub Jelinek  ---
Author: jakub
Date: Thu May 19 12:05:41 2016
New Revision: 236456

URL: https://gcc.gnu.org/viewcvs?rev=236456=gcc=rev
Log:
Backported from mainline
2016-05-19  Jakub Jelinek  

PR c++/70498
* cp-demangle.c (d_expression_1): Formatting fix.

2016-05-02  Marcel Böhme  

PR c++/70498
* cp-demangle.c: Parse numbers as integer instead of long to avoid
overflow after sanity checks. Include  if available.
(INT_MAX): Define if necessary.
(d_make_template_param): Takes integer argument instead of long.
(d_make_function_param): Likewise.
(d_append_num): Likewise.
(d_identifier): Likewise.
(d_number): Parse as and return integer.
(d_compact_number): Handle overflow.
(d_source_name): Change variable type to integer for parsed number.
(d_java_resource): Likewise.
(d_special_name): Likewise.
(d_discriminator): Likewise.
(d_unnamed_type): Likewise.
* testsuite/demangle-expected: Add regression test cases.

2016-04-08  Marcel Böhme  

PR c++/69687
* cplus-dem.c: Include  if available.
(INT_MAX): Define if necessary.
(remember_type, remember_Ktype, register_Btype, string_need):
Abort if we detect cases where we the size of the allocation would
overflow.

PR c++/70492
* cplus-dem.c (gnu_special): Handle case where consume_count returns
-1.

2016-03-31  Mikhail Maltsev  
Marcel Bohme  

PR c++/67394
PR c++/70481
* cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing
btypevec/ktypevec.
* testsuite/demangle-expected: Add coverage tests.

Modified:
branches/gcc-4_9-branch/libiberty/ChangeLog
branches/gcc-4_9-branch/libiberty/cp-demangle.c
branches/gcc-4_9-branch/libiberty/cplus-dem.c
branches/gcc-4_9-branch/libiberty/testsuite/demangle-expected

[Bug c++/70481] [Regression] Libiberty Demangler segfaults

2016-05-19 Thread jakub at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

--- Comment #5 from Jakub Jelinek  ---
Author: jakub
Date: Thu May 19 10:44:31 2016
New Revision: 236452

URL: https://gcc.gnu.org/viewcvs?rev=236452=gcc=rev
Log:
Backported from mainline
2016-05-19  Jakub Jelinek  

PR c++/70498
* cp-demangle.c (d_expression_1): Formatting fix.

2016-05-02  Marcel Böhme  

PR c++/70498
* cp-demangle.c: Parse numbers as integer instead of long to avoid
overflow after sanity checks. Include  if available.
(INT_MAX): Define if necessary.
(d_make_template_param): Takes integer argument instead of long.
(d_make_function_param): Likewise.
(d_append_num): Likewise.
(d_identifier): Likewise.
(d_number): Parse as and return integer.
(d_compact_number): Handle overflow.
(d_source_name): Change variable type to integer for parsed number.
(d_java_resource): Likewise.
(d_special_name): Likewise.
(d_discriminator): Likewise.
(d_unnamed_type): Likewise.
* testsuite/demangle-expected: Add regression test cases.

2016-04-08  Marcel Böhme  

PR c++/69687
* cplus-dem.c: Include  if available.
(INT_MAX): Define if necessary.
(remember_type, remember_Ktype, register_Btype, string_need):
Abort if we detect cases where we the size of the allocation would
overflow.

PR c++/70492
* cplus-dem.c (gnu_special): Handle case where consume_count returns
-1.

2016-03-31  Mikhail Maltsev  
Marcel Bohme  

PR c++/67394
PR c++/70481
* cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing
btypevec/ktypevec.
* testsuite/demangle-expected: Add coverage tests.

Modified:
branches/gcc-5-branch/libiberty/ChangeLog
branches/gcc-5-branch/libiberty/cp-demangle.c
branches/gcc-5-branch/libiberty/cplus-dem.c
branches/gcc-5-branch/libiberty/testsuite/demangle-expected

[Bug c++/70481] [Regression] Libiberty Demangler segfaults

2016-03-31 Thread law at redhat dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

Jeffrey A. Law  changed:

   What|Removed |Added

 CC||brian.carpenter at gmail dot 
com

--- Comment #4 from Jeffrey A. Law  ---
*** Bug 67394 has been marked as a duplicate of this bug. ***

[Bug c++/70481] [Regression] Libiberty Demangler segfaults

2016-03-31 Thread law at redhat dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

Jeffrey A. Law  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 CC||law at redhat dot com
 Resolution|--- |FIXED

--- Comment #3 from Jeffrey A. Law  ---
Fixed on the trunk.

[Bug c++/70481] [Regression] Libiberty Demangler segfaults

2016-03-31 Thread boehme.marcel at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

--- Comment #2 from Marcel Böhme  ---
These are two distinct bugs. During fuzzing the btypevec bug appears more
often. But it seemed less critical since only NULL is written to the freed
memory:
work -> btypevec[ret] = NULL;

On the other hand, the ktypevec bug allows to write arbitrary content to the
freed memory:
work -> ktypevec[work -> numk++] = tem;
where tem is "cafebabe."

I used a more efficient version of the AFL fuzzer. Interestingly, I submitted
the same patch: https://gcc.gnu.org/ml/gcc-patches/2016-03/msg01687.html

[Bug c++/70481] [Regression] Libiberty Demangler segfaults

2016-03-31 Thread miyuki at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

Mikhail Maltsev  changed:

   What|Removed |Added

 CC||miyuki at gcc dot gnu.org

--- Comment #1 from Mikhail Maltsev  ---
Likely a dup of PR67394