[PATCH] demangler, only access valid fields for DEMANGLE_COMPONENT_FIXED_TYPE.

[Andrew Burgess <aburgess@broadcom.com>]

In two places when a struct demangle_component is of type
DEMANGLE_COMPONENT_FIXED_TYPE we fall back to accessing the default
s_binary member of the union rather than the s_fixed member.  This is
incorrect and can cause the demangler to crash.

In d_dump I've changed the code to only access the s_fixed member of the
union, and also added printing of the remaining parts of the s_fixed
struct, this felt like the most useful thing to do.

I've added a new test, this causes a SIGSEGV for me before the patch, and
is fine afterwords, however, this undefined, so might not cause a crash on
all platforms.

If this is approved then please could someone commit it for me, I don't
have gcc write access.

Thanks,
Andrew




libiberty/ChangeLog:

	* cp-demangle.c (d_dump): Only access field from s_fixed part of
	the union for DEMANGLE_COMPONENT_FIXED_TYPE.
	(d_count_templates_scopes): Likewise.
	* testsuite/demangle-expected: New test case.
---
 libiberty/cp-demangle.c               | 10 +++++++++-
 libiberty/testsuite/demangle-expected |  6 ++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index 68d8ee1..a31dad4 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -710,7 +710,9 @@ d_dump (struct demangle_component *dc, int indent)
       printf ("pointer to member type\n");
       break;
     case DEMANGLE_COMPONENT_FIXED_TYPE:
-      printf ("fixed-point type\n");
+      printf ("fixed-point type, accum? %d, sat? %d\n",
+              dc->u.s_fixed.accum, dc->u.s_fixed.sat);
+      d_dump (dc->u.s_fixed.length, indent + 2)
       break;
     case DEMANGLE_COMPONENT_ARGLIST:
       printf ("argument list\n");
@@ -3869,7 +3871,13 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
     case DEMANGLE_COMPONENT_FUNCTION_TYPE:
     case DEMANGLE_COMPONENT_ARRAY_TYPE:
     case DEMANGLE_COMPONENT_PTRMEM_TYPE:
+      goto recurse_left_right;
+
     case DEMANGLE_COMPONENT_FIXED_TYPE:
+      d_count_templates_scopes (num_templates, num_scopes,
+                                dc->u.s_fixed.length);
+      break;
+
     case DEMANGLE_COMPONENT_VECTOR_TYPE:
     case DEMANGLE_COMPONENT_ARGLIST:
     case DEMANGLE_COMPONENT_TEMPLATE_ARGLIST:
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index 453f9a3..0e2bb12 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4343,3 +4343,9 @@ cereal::detail::InputBindingMap<cereal::JSONInputArchive>::Serializers cereal::p
 --format=gnu-v3
 _ZNSt9_Any_data9_M_accessIPZ4postISt8functionIFvvEEEvOT_EUlvE_EERS5_v
 void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*& std::_Any_data::_M_access<void post<std::function<void ()> >(void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*&&)::{lambda()#1}*>()
+# The following input symbol was found during random, it caused a fault
+# within the demangler, it's not a symbol we'd expect in the real world.
+--format=auto --no-params
+_Z3xxxDFyuVb
+xxx(unsigned long long _Fract, bool volatile)
+xxx
-- 
1.8.1.3