From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-112865-listarch-gdb-patches=sources.redhat.com@sourceware.org>
Received: (qmail 11919 invoked by alias); 28 May 2014 20:38:43 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Received: (qmail 11851 invoked by uid 89); 28 May 2014 20:38:42 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mail-gw2-out.broadcom.com
Received: from mail-gw2-out.broadcom.com (HELO mail-gw2-out.broadcom.com) (216.31.210.63) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 28 May 2014 20:38:41 +0000
Received: from irvexchcas07.broadcom.com (HELO IRVEXCHCAS07.corp.ad.broadcom.com) ([10.9.208.55])  by mail-gw2-out.broadcom.com with ESMTP; 28 May 2014 13:40:12 -0700
Received: from IRVEXCHSMTP2.corp.ad.broadcom.com (10.9.207.52) by IRVEXCHCAS07.corp.ad.broadcom.com (10.9.208.55) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 28 May 2014 13:38:40 -0700
Received: from mail-irva-13.broadcom.com (10.10.10.20) by IRVEXCHSMTP2.corp.ad.broadcom.com (10.9.207.52) with Microsoft SMTP Server id 14.3.174.1; Wed, 28 May 2014 13:38:40 -0700
Received: from xl-cam-21.broadcom.com (xl-cam-21.cam.broadcom.com [10.177.132.81])	by mail-irva-13.broadcom.com (Postfix) with ESMTP id B7FC99F9F7;	Wed, 28 May 2014 13:38:39 -0700 (PDT)
Received: by xl-cam-21.broadcom.com (Postfix, from userid 15136)	id 079B12CE899E; Wed, 28 May 2014 21:38:39 +0100 (BST)
From: Andrew Burgess <aburgess@broadcom.com>
To: <gcc-patches@gcc.gnu.org>
CC: <gdb-patches@sourceware.org>, Andrew Burgess <aburgess@broadcom.com>
Subject: [PATCH] demangler, only access valid fields for DEMANGLE_COMPONENT_FIXED_TYPE.
Date: Wed, 28 May 2014 20:38:00 -0000
Message-ID: <1401309510-10507-1-git-send-email-aburgess@broadcom.com>
MIME-Version: 1.0
Content-Type: text/plain
X-IsSubscribed: yes
X-SW-Source: 2014-05/txt/msg00703.txt.bz2

In two places when a struct demangle_component is of type
DEMANGLE_COMPONENT_FIXED_TYPE we fall back to accessing the default
s_binary member of the union rather than the s_fixed member.  This is
incorrect and can cause the demangler to crash.

In d_dump I've changed the code to only access the s_fixed member of the
union, and also added printing of the remaining parts of the s_fixed
struct, this felt like the most useful thing to do.

I've added a new test, this causes a SIGSEGV for me before the patch, and
is fine afterwords, however, this undefined, so might not cause a crash on
all platforms.

If this is approved then please could someone commit it for me, I don't
have gcc write access.

Thanks,
Andrew




libiberty/ChangeLog:

	* cp-demangle.c (d_dump): Only access field from s_fixed part of
	the union for DEMANGLE_COMPONENT_FIXED_TYPE.
	(d_count_templates_scopes): Likewise.
	* testsuite/demangle-expected: New test case.
---
 libiberty/cp-demangle.c               | 10 +++++++++-
 libiberty/testsuite/demangle-expected |  6 ++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index 68d8ee1..a31dad4 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -710,7 +710,9 @@ d_dump (struct demangle_component *dc, int indent)
       printf ("pointer to member type\n");
       break;
     case DEMANGLE_COMPONENT_FIXED_TYPE:
-      printf ("fixed-point type\n");
+      printf ("fixed-point type, accum? %d, sat? %d\n",
+              dc->u.s_fixed.accum, dc->u.s_fixed.sat);
+      d_dump (dc->u.s_fixed.length, indent + 2)
       break;
     case DEMANGLE_COMPONENT_ARGLIST:
       printf ("argument list\n");
@@ -3869,7 +3871,13 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
     case DEMANGLE_COMPONENT_FUNCTION_TYPE:
     case DEMANGLE_COMPONENT_ARRAY_TYPE:
     case DEMANGLE_COMPONENT_PTRMEM_TYPE:
+      goto recurse_left_right;
+
     case DEMANGLE_COMPONENT_FIXED_TYPE:
+      d_count_templates_scopes (num_templates, num_scopes,
+                                dc->u.s_fixed.length);
+      break;
+
     case DEMANGLE_COMPONENT_VECTOR_TYPE:
     case DEMANGLE_COMPONENT_ARGLIST:
     case DEMANGLE_COMPONENT_TEMPLATE_ARGLIST:
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index 453f9a3..0e2bb12 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4343,3 +4343,9 @@ cereal::detail::InputBindingMap<cereal::JSONInputArchive>::Serializers cereal::p
 --format=gnu-v3
 _ZNSt9_Any_data9_M_accessIPZ4postISt8functionIFvvEEEvOT_EUlvE_EERS5_v
 void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*& std::_Any_data::_M_access<void post<std::function<void ()> >(void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*&&)::{lambda()#1}*>()
+# The following input symbol was found during random, it caused a fault
+# within the demangler, it's not a symbol we'd expect in the real world.
+--format=auto --no-params
+_Z3xxxDFyuVb
+xxx(unsigned long long _Fract, bool volatile)
+xxx
-- 
1.8.1.3