https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675
Bug ID: 87675 Summary: Stack Overflow in function next_is_type_qual() in cp-demangle.c, as demonstrated by "nm -C" Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: demangler Assignee: unassigned at gcc dot gnu.org Reporter: N1705695H at e dot ntu.edu.sg Target Milestone: --- Created attachment 44874 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44874&action=edit POC An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: next_is_type_qua() and cplus_demangle_type() Please use the "./nm -C $POC" to reproduce the bug. This result can trigger different Stack Overflow, you can try several times. To reproduce this bug. You need to build bintuils-2.31 with ASAN. Here is the compile Option. Another approach is to set the break Point and debug it, as the stack overflow didn't crash the program. > CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all > -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" > ./configure --disable-shared --disable-gdb --disable-libdecnumber > --disable-sim The ASAN dumps the stack trace as follows: > ASAN:DEADLYSIGNAL > ================================================================= > ==9864==ERROR: AddressSanitizer: stack-overflow on address 0x7fff9e5c9f58 (pc > > 0x0000009684ac bp 0x000000000000 sp 0x7fff9e5c9f58 T0) > #0 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #1 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #2 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #3 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #4 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #5 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #6 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #7 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #8 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #9 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #10 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #11 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #12 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #13 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #14 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #15 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #16 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #17 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #18 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #19 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #20 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #21 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > ... > # 0xc5800000c22 (<unknown module>) > SUMMARY: AddressSanitizer: stack-overflow cp-demangle.c:2290 in > next_is_type_qual > ==9864==ABORTING > 00000000 AAborted