summaryrefslogtreecommitdiff
path: root/debian/patches/pr70909.diff
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/pr70909.diff')
-rw-r--r--debian/patches/pr70909.diff345
1 files changed, 345 insertions, 0 deletions
diff --git a/debian/patches/pr70909.diff b/debian/patches/pr70909.diff
new file mode 100644
index 0000000..a0448b5
--- /dev/null
+++ b/debian/patches/pr70909.diff
@@ -0,0 +1,345 @@
+# DP: Fix PR demangler/70909, libiberty Demangler segfaults. CVE-2016-4491.
+
+2017-03-08 Mark Wielaard <mark@klomp.org>
+
+ PR demangler/70909
+ PR demangler/67264
+ * include/demangle.h: Add d_printing to struct demangle_component
+ and pass struct demangle_component as non const.
+
+libiberty/
+
+2017-03-08 Mark Wielaard <mark@klomp.org>
+
+ PR demangler/70909
+ PR demangler/67264
+ * cp-demangle.c: Fix endless recursion. Pass
+ struct demangle_component as non const.
+ (d_make_empty): Initialize variable.
+ (d_print_comp_inner): Limit recursion.
+ (d_print_comp): Decrement variable.
+ * cp-demint.c (cplus_demangle_fill_component): Initialize
+ variable.
+ (cplus_demangle_fill_builtin_type): Likewise.
+ (cplus_demangle_fill_operator): Likewise.
+ * testsuite/demangle-expected: Add tests.
+
+
+Index: b/src/include/demangle.h
+===================================================================
+--- a/src/include/demangle.h
++++ b/src/include/demangle.h
+@@ -494,6 +494,11 @@ struct demangle_component
+ /* The type of this component. */
+ enum demangle_component_type type;
+
++ /* Guard against recursive component printing.
++ Initialize to zero. Private to d_print_comp.
++ All other fields are final after initialization. */
++ int d_printing;
++
+ union
+ {
+ /* For DEMANGLE_COMPONENT_NAME. */
+@@ -688,7 +693,7 @@ cplus_demangle_v3_components (const char
+
+ extern char *
+ cplus_demangle_print (int options,
+- const struct demangle_component *tree,
++ struct demangle_component *tree,
+ int estimated_length,
+ size_t *p_allocated_size);
+
+@@ -708,7 +713,7 @@ cplus_demangle_print (int options,
+
+ extern int
+ cplus_demangle_print_callback (int options,
+- const struct demangle_component *tree,
++ struct demangle_component *tree,
+ demangle_callbackref callback, void *opaque);
+
+ #ifdef __cplusplus
+Index: b/src/libiberty/testsuite/demangle-expected
+===================================================================
+--- a/src/libiberty/testsuite/demangle-expected
++++ b/src/libiberty/testsuite/demangle-expected
+@@ -4666,3 +4666,34 @@ void eat<int*, Foo()::{lambda(auto:1*, a
+
+ _Z3eatIPiZ3BarIsEvvEUlPsPT_PT0_E0_EvRS3_RS5_
+ void eat<int*, void Bar<short>()::{lambda(short*, auto:1*, auto:2*)#2}>(int*&, void Bar<short>()::{lambda(short*, auto:1*, auto:2*)#2}&)
++
++#
++# Test recursion PR67264
++_Z1KIStcvT_E
++_Z1KIStcvT_E
++
++_ZcvT_IIS0_EE
++_ZcvT_IIS0_EE
++
++_ZcvT_IZcvT_E1fE
++_ZcvT_IZcvT_E1fE
++
++_Z1gINcvT_EE
++_Z1gINcvT_EE
++
++_ZcvT_ILZcvDTT_EEE
++_ZcvT_ILZcvDTT_EEE
++
++_Z1gIJOOT_EEOT_c
++_Z1gIJOOT_EEOT_c
++
++_Z1KMMMMMMMMMMMMMMMA_xooooooooooooooo
++_Z1KMMMMMMMMMMMMMMMA_xooooooooooooooo
++
++_ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd
++_ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd
++#
++# Test for Infinite Recursion PR70909
++
++_Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo
++_Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo
+Index: b/src/libiberty/cp-demint.c
+===================================================================
+--- a/src/libiberty/cp-demint.c
++++ b/src/libiberty/cp-demint.c
+@@ -123,6 +123,7 @@ cplus_demangle_fill_component (struct de
+ p->type = type;
+ p->u.s_binary.left = left;
+ p->u.s_binary.right = right;
++ p->d_printing = 0;
+
+ return 1;
+ }
+@@ -146,6 +147,7 @@ cplus_demangle_fill_builtin_type (struct
+ {
+ p->type = DEMANGLE_COMPONENT_BUILTIN_TYPE;
+ p->u.s_builtin.type = &cplus_demangle_builtin_types[i];
++ p->d_printing = 0;
+ return 1;
+ }
+ }
+@@ -172,6 +174,7 @@ cplus_demangle_fill_operator (struct dem
+ {
+ p->type = DEMANGLE_COMPONENT_OPERATOR;
+ p->u.s_operator.op = &cplus_demangle_operators[i];
++ p->d_printing = 0;
+ return 1;
+ }
+ }
+Index: b/src/libiberty/cp-demangle.c
+===================================================================
+--- a/src/libiberty/cp-demangle.c
++++ b/src/libiberty/cp-demangle.c
+@@ -173,10 +173,10 @@ static struct demangle_component *d_mang
+ static struct demangle_component *d_type (struct d_info *);
+
+ #define cplus_demangle_print d_print
+-static char *d_print (int, const struct demangle_component *, int, size_t *);
++static char *d_print (int, struct demangle_component *, int, size_t *);
+
+ #define cplus_demangle_print_callback d_print_callback
+-static int d_print_callback (int, const struct demangle_component *,
++static int d_print_callback (int, struct demangle_component *,
+ demangle_callbackref, void *);
+
+ #define cplus_demangle_init_info d_init_info
+@@ -265,7 +265,7 @@ struct d_print_mod
+ in which they appeared in the mangled string. */
+ struct d_print_mod *next;
+ /* The modifier. */
+- const struct demangle_component *mod;
++ struct demangle_component *mod;
+ /* Whether this modifier was printed. */
+ int printed;
+ /* The list of templates which applies to this modifier. */
+@@ -531,7 +531,7 @@ static inline void d_append_string (stru
+ static inline char d_last_char (struct d_print_info *);
+
+ static void
+-d_print_comp (struct d_print_info *, int, const struct demangle_component *);
++d_print_comp (struct d_print_info *, int, struct demangle_component *);
+
+ static void
+ d_print_java_identifier (struct d_print_info *, const char *, int);
+@@ -540,25 +540,25 @@ static void
+ d_print_mod_list (struct d_print_info *, int, struct d_print_mod *, int);
+
+ static void
+-d_print_mod (struct d_print_info *, int, const struct demangle_component *);
++d_print_mod (struct d_print_info *, int, struct demangle_component *);
+
+ static void
+ d_print_function_type (struct d_print_info *, int,
+- const struct demangle_component *,
++ struct demangle_component *,
+ struct d_print_mod *);
+
+ static void
+ d_print_array_type (struct d_print_info *, int,
+- const struct demangle_component *,
++ struct demangle_component *,
+ struct d_print_mod *);
+
+ static void
+-d_print_expr_op (struct d_print_info *, int, const struct demangle_component *);
++d_print_expr_op (struct d_print_info *, int, struct demangle_component *);
+
+ static void d_print_cast (struct d_print_info *, int,
+- const struct demangle_component *);
++ struct demangle_component *);
+ static void d_print_conversion (struct d_print_info *, int,
+- const struct demangle_component *);
++ struct demangle_component *);
+
+ static int d_demangle_callback (const char *, int,
+ demangle_callbackref, void *);
+@@ -924,6 +924,7 @@ d_make_empty (struct d_info *di)
+ if (di->next_comp >= di->num_comps)
+ return NULL;
+ p = &di->comps[di->next_comp];
++ p->d_printing = 0;
+ ++di->next_comp;
+ return p;
+ }
+@@ -4230,7 +4231,7 @@ d_last_char (struct d_print_info *dpi)
+ CP_STATIC_IF_GLIBCPP_V3
+ int
+ cplus_demangle_print_callback (int options,
+- const struct demangle_component *dc,
++ struct demangle_component *dc,
+ demangle_callbackref callback, void *opaque)
+ {
+ struct d_print_info dpi;
+@@ -4273,7 +4274,7 @@ cplus_demangle_print_callback (int optio
+
+ CP_STATIC_IF_GLIBCPP_V3
+ char *
+-cplus_demangle_print (int options, const struct demangle_component *dc,
++cplus_demangle_print (int options, struct demangle_component *dc,
+ int estimate, size_t *palc)
+ {
+ struct d_growable_string dgs;
+@@ -4433,7 +4434,7 @@ d_args_length (struct d_print_info *dpi,
+
+ static void
+ d_print_subexpr (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc)
++ struct demangle_component *dc)
+ {
+ int simple = 0;
+ if (dc->type == DEMANGLE_COMPONENT_NAME
+@@ -4509,9 +4510,9 @@ d_get_saved_scope (struct d_print_info *
+
+ static int
+ d_maybe_print_fold_expression (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc)
++ struct demangle_component *dc)
+ {
+- const struct demangle_component *ops, *operator_, *op1, *op2;
++ struct demangle_component *ops, *operator_, *op1, *op2;
+ int save_idx;
+
+ const char *fold_code = d_left (dc)->u.s_operator.op->code;
+@@ -4572,11 +4573,11 @@ d_maybe_print_fold_expression (struct d_
+
+ static void
+ d_print_comp_inner (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc)
++ struct demangle_component *dc)
+ {
+ /* Magic variable to let reference smashing skip over the next modifier
+ without needing to modify *dc. */
+- const struct demangle_component *mod_inner = NULL;
++ struct demangle_component *mod_inner = NULL;
+
+ /* Variable used to store the current templates while a previously
+ captured scope is used. */
+@@ -4961,7 +4962,7 @@ d_print_comp_inner (struct d_print_info
+ case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
+ {
+ /* Handle reference smashing: & + && = &. */
+- const struct demangle_component *sub = d_left (dc);
++ struct demangle_component *sub = d_left (dc);
+ if (!dpi->is_lambda_arg
+ && sub->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
+ {
+@@ -5664,9 +5665,16 @@ d_print_comp_inner (struct d_print_info
+
+ static void
+ d_print_comp (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc)
++ struct demangle_component *dc)
+ {
+ struct d_component_stack self;
++ if (dc == NULL || dc->d_printing > 1)
++ {
++ d_print_error (dpi);
++ return;
++ }
++ else
++ dc->d_printing++;
+
+ self.dc = dc;
+ self.parent = dpi->component_stack;
+@@ -5675,6 +5683,7 @@ d_print_comp (struct d_print_info *dpi,
+ d_print_comp_inner (dpi, options, dc);
+
+ dpi->component_stack = self.parent;
++ dc->d_printing--;
+ }
+
+ /* Print a Java dentifier. For Java we try to handle encoded extended
+@@ -5816,7 +5825,7 @@ d_print_mod_list (struct d_print_info *d
+
+ static void
+ d_print_mod (struct d_print_info *dpi, int options,
+- const struct demangle_component *mod)
++ struct demangle_component *mod)
+ {
+ switch (mod->type)
+ {
+@@ -5908,7 +5917,7 @@ d_print_mod (struct d_print_info *dpi, i
+
+ static void
+ d_print_function_type (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc,
++ struct demangle_component *dc,
+ struct d_print_mod *mods)
+ {
+ int need_paren;
+@@ -5986,7 +5995,7 @@ d_print_function_type (struct d_print_in
+
+ static void
+ d_print_array_type (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc,
++ struct demangle_component *dc,
+ struct d_print_mod *mods)
+ {
+ int need_space;
+@@ -6040,7 +6049,7 @@ d_print_array_type (struct d_print_info
+
+ static void
+ d_print_expr_op (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc)
++ struct demangle_component *dc)
+ {
+ if (dc->type == DEMANGLE_COMPONENT_OPERATOR)
+ d_append_buffer (dpi, dc->u.s_operator.op->name,
+@@ -6053,7 +6062,7 @@ d_print_expr_op (struct d_print_info *dp
+
+ static void
+ d_print_cast (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc)
++ struct demangle_component *dc)
+ {
+ d_print_comp (dpi, options, d_left (dc));
+ }
+@@ -6062,7 +6071,7 @@ d_print_cast (struct d_print_info *dpi,
+
+ static void
+ d_print_conversion (struct d_print_info *dpi, int options,
+- const struct demangle_component *dc)
++ struct demangle_component *dc)
+ {
+ struct d_print_template dpt;
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 10:38:22 +0000