This is an archive of the discontinued LLVM Phabricator instance.

Differential D33637

[libcxxabi][demangler] Fix a exponential string copying bug
ClosedPublic

Authored by erik.pilkington on May 28 2017, 2:27 PM.

Details

Reviewers
compnerd
Commits
rGa34ea7583fb2: [demangler] Fix a exponential string copying bug
rCXXA304113: [demangler] Fix a exponential string copying bug
rL304113: [demangler] Fix a exponential string copying bug
Summary

The problem was that if base_name() was called from a context without an actual base name, it could gulp up the entire string, which can result in recursive duplications. The fix is to be more strict as to what qualifies as a base name.

Fixes PR31031
Thanks

Diff Detail

Repository
rL LLVM

Event Timeline

erik.pilkington created this revision.May 28 2017, 2:27 PM
Herald added a reviewer: EricWF. · View Herald TranscriptMay 28 2017, 2:27 PM
erik.pilkington edited reviewers, added: compnerd; removed: EricWF.May 28 2017, 2:28 PM
erik.pilkington added a subscriber: cfe-commits.
compnerd accepted this revision.May 28 2017, 3:17 PM

Thanks for looking into this, its been on my list for a while now.

src/cxa_demangle.cpp
2918 ↗(On Diff #100568)

Hmm, I wonder if we should negate and hoist this into the condition rather than the explicit check here. It makes it slightly more obvious what we are trying to do here. However, it does make failing more challenging (since we cannot as easily identify if the extraction failed.

This revision is now accepted and ready to land.May 28 2017, 3:17 PM
Closed by commit rL304113: [demangler] Fix a exponential string copying bug (authored by epilk). · Explain WhyMay 28 2017, 4:16 PM
This revision was automatically updated to reflect the committed changes.
alekseyshl mentioned this in D33687: [sanitizer] Add "isapla" to symbolizer's global symbols whitelist..May 30 2017, 12:38 PM
alekseyshl mentioned this in rL304234: [sanitizer] Add "isapla" to symbolizer's global symbols whitelist..May 30 2017, 12:52 PM

Revision Contents

PathSize
libcxxabi/
trunk/
src/
4 lines
test/
1 line

Diff 100574

libcxxabi/trunk/src/cxa_demangle.cpp

Show First 20 LinesShow All 2,909 Lines▼ Show 20 Linesbase_name(String& s)
const char* p0 = pe - 1; const char* p0 = pe - 1;
for (; p0 != pf; --p0) for (; p0 != pf; --p0)
{ {
if (*p0 == ':') if (*p0 == ':')
{ {
++p0; ++p0;
break; break;
} }
if (!isalpha(*p0) && !isdigit(*p0) && *p0 != '_')
{
return String();
}
} }
return String(p0, pe); return String(p0, pe);
} }
// <ctor-dtor-name> ::= C1 # complete object constructor // <ctor-dtor-name> ::= C1 # complete object constructor
// ::= C2 # base object constructor // ::= C2 # base object constructor
// ::= C3 # complete object allocating constructor // ::= C3 # complete object allocating constructor
// extension ::= C5 # ? // extension ::= C5 # ?
▲ Show 20 LinesShow All 2,141 LinesShow Last 20 Lines

libcxxabi/trunk/test/test_demangle.pass.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 29,662 Lines▼ Show 20 Lines // The following test cases were found by libFuzzer+ASAN
"\x44\x74\x70\x74\x71\x75\x32\x43\x41\x38\x65\x6E\x9B\x72\x4D\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x2C\x53\xF9\x5F\x70\x74\x70\x69\x45\xB4\xD3\x73\x9F\x2A\x37", "\x44\x74\x70\x74\x71\x75\x32\x43\x41\x38\x65\x6E\x9B\x72\x4D\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x2C\x53\xF9\x5F\x70\x74\x70\x69\x45\xB4\xD3\x73\x9F\x2A\x37",
"\x4C\x5A\x4C\x55\x6C\x69\x4D\x73\x72\x53\x6F\x7A\x41\x5F\x41\x67\x74\x71\x75\x32\x4D\x41\x64\x73\x39\x28\x76\x72\x4D\x34\x44\x4B\x45\x54\x6E\x61\x37\x47\x77\x78\x38\x43\x27\x41\x5F\x73\x70\x69\x45\x6F\x45\x49\x6D\x1A\x4C\x53\x38\x6A\x7A\x5A", "\x4C\x5A\x4C\x55\x6C\x69\x4D\x73\x72\x53\x6F\x7A\x41\x5F\x41\x67\x74\x71\x75\x32\x4D\x41\x64\x73\x39\x28\x76\x72\x4D\x34\x44\x4B\x45\x54\x6E\x61\x37\x47\x77\x78\x38\x43\x27\x41\x5F\x73\x70\x69\x45\x6F\x45\x49\x6D\x1A\x4C\x53\x38\x6A\x7A\x5A",
"\x44\x74\x63*", "\x44\x74\x63*",
"\x44\x74\x71\x75\x35\x2A\xDF\x74\x44\x61\x73\x63\x35\x2A\x3B\x41\x72\x4D\x6E\x65\x34\x9F\xC1\x63\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x33\x44\x76\x35", "\x44\x74\x71\x75\x35\x2A\xDF\x74\x44\x61\x73\x63\x35\x2A\x3B\x41\x72\x4D\x6E\x65\x34\x9F\xC1\x63\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x33\x44\x76\x35",
"\x44\x74\x70\x74\x71\x75\x32\x43\x41\x38\x65\x6E\x9B\x72\x4D\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x38\xD3\x73\x9E\x2A\x37", "\x44\x74\x70\x74\x71\x75\x32\x43\x41\x38\x65\x6E\x9B\x72\x4D\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x38\xD3\x73\x9E\x2A\x37",
"\x46\x44\x74\x70\x74\x71\x75\x32\x43\x41\x72\x4D\x6E\x65\x34\x9F\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x34\xD3\x73\x9E\x2A\x37\x72\x33\x8E\x3A\x29\x8E\x44\x35", "\x46\x44\x74\x70\x74\x71\x75\x32\x43\x41\x72\x4D\x6E\x65\x34\x9F\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x34\xD3\x73\x9E\x2A\x37\x72\x33\x8E\x3A\x29\x8E\x44\x35",
"_ZcvCiIJEEDvT__FFFFT_vT_v", "_ZcvCiIJEEDvT__FFFFT_vT_v",
"Z1JIJ1_T_EE3o00EUlT_E0", "Z1JIJ1_T_EE3o00EUlT_E0",
"___Z2i_D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D1D",
}; };
const unsigned NI = sizeof(invalid_cases) / sizeof(invalid_cases[0]); const unsigned NI = sizeof(invalid_cases) / sizeof(invalid_cases[0]);
void test() void test()
{ {
std::size_t len = 0; std::size_t len = 0;
char* buf = nullptr; char* buf = nullptr;
▲ Show 20 LinesShow All 121 LinesShow Last 20 Lines