Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-16 Thread Jeff Law
On 05/16/2016 12:19 PM, Jakub Jelinek wrote: On Mon, May 16, 2016 at 12:12:38PM -0600, Jeff Law wrote: On 05/06/2016 09:19 AM, Jakub Jelinek wrote: On Fri, May 06, 2016 at 11:11:29PM +0800, Marcel Böhme wrote: + dpi.copy_templates += (struct d_print_template *) malloc (((size_t)

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-16 Thread Jakub Jelinek
On Mon, May 16, 2016 at 12:12:38PM -0600, Jeff Law wrote: > On 05/06/2016 09:19 AM, Jakub Jelinek wrote: > >On Fri, May 06, 2016 at 11:11:29PM +0800, Marcel Böhme wrote: > >>+ dpi.copy_templates > >>+= (struct d_print_template *) malloc (((size_t) dpi.num_copy_templates) > >>+

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-16 Thread Jeff Law
On 05/06/2016 09:19 AM, Jakub Jelinek wrote: On Fri, May 06, 2016 at 11:11:29PM +0800, Marcel Böhme wrote: + dpi.copy_templates += (struct d_print_template *) malloc (((size_t) dpi.num_copy_templates) + * sizeof (*dpi.copy_templates)); + if (!

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Marcel Böhme
Hi Ian, Stack overflows are a security concern and must be addressed. The Libiberty demangler is part of several tools, including binutils, gdb, valgrind, and many other libbfd-based tools that are used by the security community for the analysis of program binaries. Without a patch, the

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Ian Lance Taylor
On Fri, May 6, 2016 at 2:51 AM, Jakub Jelinek wrote: > > Anyway, perhaps I'm misremembering, if there is a mode that really can't > fail due to allocation failures or not, we need to deal with that. > Ian or Jason, can all the demangle users allocate heap memory or not? > And,

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Jakub Jelinek
On Sat, May 07, 2016 at 12:05:11AM +0800, Marcel Böhme wrote: > This patch also removes the following part of the comment for method > cplus_demangle_print_callback: > "It does not use heap memory to build an output string, so cannot encounter > memory allocation failure”. But that exactly is

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Marcel Böhme
Hi, This patch also removes the following part of the comment for method cplus_demangle_print_callback: "It does not use heap memory to build an output string, so cannot encounter memory allocation failure”. > On 6 May 2016, at 11:11 PM, Marcel Böhme wrote: > > >>

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Jakub Jelinek
On Fri, May 06, 2016 at 11:11:29PM +0800, Marcel Böhme wrote: > + dpi.copy_templates > += (struct d_print_template *) malloc (((size_t) dpi.num_copy_templates) > + * sizeof (*dpi.copy_templates)); > + if (! dpi.copy_templates) > +{ > +

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Marcel Böhme
> If one malloc succeeds and the other fails, you leak memory. > > Jakub Nice catch. Thanks! Bootstrapped and regression tested on x86_64-pc-linux-gnu. Best - Marcel Index: libiberty/ChangeLog === --- libiberty/ChangeLog

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Jakub Jelinek
On Fri, May 06, 2016 at 10:46:12PM +0800, Marcel Böhme wrote: >d_print_init (, callback, opaque, dc); > > - { > -#ifdef CP_DYNAMIC_ARRAYS > -__extension__ struct d_saved_scope scopes[dpi.num_saved_scopes]; > -__extension__ struct d_print_template temps[dpi.num_copy_templates]; > +

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Marcel Böhme
Hi Jakub, > On 6 May 2016, at 5:51 PM, Jakub Jelinek wrote: >> > > If you just want an array, restricting the size including the sizeof > to fit into int makes no sense, you want to guard it against overflows > during the multiplication. Okay, done. (Someone might want to

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Jakub Jelinek
On Fri, May 06, 2016 at 05:01:14PM +0800, Marcel Böhme wrote: > The patch that is attached now is bootstrapped and regression tested on > x86_64-pc-linux-gnu. > > > > > This file is used not just in the various tools like binutils or gdb, but > > also in libstdc++, where it used e.g. in the

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Marcel Böhme
Hi Jakub, The patch that is attached now is bootstrapped and regression tested on x86_64-pc-linux-gnu. > > This file is used not just in the various tools like binutils or gdb, but > also in libstdc++, where it used e.g. in the std::terminate handler, > which I think can't just xmalloc_failed,

Re: Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Jakub Jelinek
On Fri, May 06, 2016 at 02:14:31PM +0800, Marcel Böhme wrote: > * the stack overflow reported in PR68159 in cplus_demangle_print_callback, > * a potential stack overflow in d_demangle_callback > * a potential stack overflow in is_ctor_or_dtor, and > * six potential buffer overflows (initialise

Fix for PR68159 in Libiberty Demangler (6)

2016-05-06 Thread Marcel Böhme
Hi, This patches fixes * the stack overflow reported in PR68159 in cplus_demangle_print_callback, * a potential stack overflow in d_demangle_callback * a potential stack overflow in is_ctor_or_dtor, and * six potential buffer overflows (initialise less memory than needed due to integer