libiberty: prevent buffer overflow when decoding user input

Message ID f4f09ee47c03316cdcb7016223b9a4ff1a7dbe77.camel@lsferreira.net
State New
Headers
Series libiberty: prevent buffer overflow when decoding user input |

Commit Message

Luís Ferreira Sept. 22, 2021, 1:10 a.m. UTC
  Currently a stack/heap overflow may happen if a crafted mangle is
maliciously used to cause denial of service, such as intentional
crashes
by accessing a reserved memory space.

Signed-off-by: Luís Ferreira <contact@lsferreira.net>
---
 libiberty/d-demangle.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

   backref = dlang_lname (decl, backref, len);
  

Comments

Li, Pan2 via Gcc-patches Sept. 23, 2021, 10:16 a.m. UTC | #1
> On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote:
> 
>  
> Currently a stack/heap overflow may happen if a crafted mangle is
> maliciously used to cause denial of service, such as intentional
> crashes
> by accessing a reserved memory space.
> 

Hi,

Thanks for this.  Is there a test that could trigger this code path?

Iain.


> Signed-off-by: Luís Ferreira <contact@lsferreira.net>
> ---
>  libiberty/d-demangle.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
> index a2152cc65518..7ded3e2a2563 100644
> --- a/libiberty/d-demangle.c
> +++ b/libiberty/d-demangle.c
> @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char
> *mangled,
>  
>    /* Must point to a simple identifier.  */
>    backref = dlang_number (backref, &len);
> -  if (backref == NULL)
> +  if (backref == NULL || strlen(backref) < len)
>      return NULL;
>  
>    backref = dlang_lname (decl, backref, len);
  
Li, Pan2 via Gcc-patches Sept. 23, 2021, 3:40 p.m. UTC | #2
Hi,

Here is an example of a crafted mangle that can cause heap buffer
overflow.

```
fuzzer-results/crash-18b7f0799be49886550876b5ab6bb63e4231979b
_D2FGWG44444444444444444EQe
00000000  5f 44 32 46 47 57 47 34  34 34 34 34 34 34 34 34 
|_D2FGWG444444444|
00000010  34 34 34 34 34 34 34 34  45 51 65 0a             
|44444444EQe.|
0000001c
```

Here is an example of a crafted mangle that can cause stack buffer
overflow.

```
fuzzer-results/crash-79833f1c8ce510bbf138c0d5ad06a7fb11ce3bae
_D8ee2_1111Qe
00000000  5f 44 38 65 65 32 5f 31  31 31 31 51 65          
|_D8ee2_1111Qe|
0000000d
```

Even though this triggers an UB by reading/writing other memory space,
I couldn't find a situation where this constantly fails, although, if
running with an address + UB sanitizer this can be easily catched and
replicated with some confidence. I didn't add this to the test suite
because of that.

On Thu, 2021-09-23 at 12:16 +0200, ibuclaw@gdcproject.org wrote:
> > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote:
> > 
> >  
> > Currently a stack/heap overflow may happen if a crafted mangle is
> > maliciously used to cause denial of service, such as intentional
> > crashes
> > by accessing a reserved memory space.
> > 
> 
> Hi,
> 
> Thanks for this.  Is there a test that could trigger this code path?
> 
> Iain.
> 
> 
> > Signed-off-by: Luís Ferreira <contact@lsferreira.net>
> > ---
> >  libiberty/d-demangle.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
> > index a2152cc65518..7ded3e2a2563 100644
> > --- a/libiberty/d-demangle.c
> > +++ b/libiberty/d-demangle.c
> > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char
> > *mangled,
> >  
> >    /* Must point to a simple identifier.  */
> >    backref = dlang_number (backref, &len);
> > -  if (backref == NULL)
> > +  if (backref == NULL || strlen(backref) < len)
> >      return NULL;
> >  
> >    backref = dlang_lname (decl, backref, len);
  
Jeff Law Sept. 23, 2021, 3:50 p.m. UTC | #3
On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote:
>> On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote:
>>
>>   
>> Currently a stack/heap overflow may happen if a crafted mangle is
>> maliciously used to cause denial of service, such as intentional
>> crashes
>> by accessing a reserved memory space.
>>
> Hi,
>
> Thanks for this.  Is there a test that could trigger this code path?
I don't think Luis has commit privs, so I went ahead and committed this 
patch.

Yea, a testcase would be great.

Jeff
  
Luís Ferreira Oct. 4, 2021, 4:52 p.m. UTC | #4
On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote:
> 
> 
> On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote:
> > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote:
> > > 
> > >   
> > > Currently a stack/heap overflow may happen if a crafted mangle is
> > > maliciously used to cause denial of service, such as intentional
> > > crashes
> > > by accessing a reserved memory space.
> > > 
> > Hi,
> > 
> > Thanks for this.  Is there a test that could trigger this code
> > path?
> I don't think Luis has commit privs, so I went ahead and committed
> this 
> patch.
> 
> Yea, a testcase would be great.
> 
> Jeff
> 

Does the test suite runned against address sanitization? if yes, I can
submit a patch to make this fail, otherwise it is hard to trigger a
consistent crash for this issue.
  
Jeff Law Oct. 5, 2021, 3 p.m. UTC | #5
On 10/4/2021 10:52 AM, Luís Ferreira wrote:
> On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote:
>>
>> On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote:
>>>> On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote:
>>>>
>>>>    
>>>> Currently a stack/heap overflow may happen if a crafted mangle is
>>>> maliciously used to cause denial of service, such as intentional
>>>> crashes
>>>> by accessing a reserved memory space.
>>>>
>>> Hi,
>>>
>>> Thanks for this.  Is there a test that could trigger this code
>>> path?
>> I don't think Luis has commit privs, so I went ahead and committed
>> this
>> patch.
>>
>> Yea, a testcase would be great.
>>
>> Jeff
>>
> Does the test suite runned against address sanitization? if yes, I can
> submit a patch to make this fail, otherwise it is hard to trigger a
> consistent crash for this issue.
Unfortunately, no it doesn't run with sanitization.  If it's too painful 
to create a test, don't worry about it.  It happens from time to time.

jeff
  
Luís Ferreira Oct. 5, 2021, 5:26 p.m. UTC | #6
On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote:
> 
> 
> On 10/4/2021 10:52 AM, Luís Ferreira wrote:
> > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote:
> > > 
> > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote:
> > > > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net>
> > > > > wrote:
> > > > > 
> > > > >    
> > > > > Currently a stack/heap overflow may happen if a crafted
> > > > > mangle is
> > > > > maliciously used to cause denial of service, such as
> > > > > intentional
> > > > > crashes
> > > > > by accessing a reserved memory space.
> > > > > 
> > > > Hi,
> > > > 
> > > > Thanks for this.  Is there a test that could trigger this code
> > > > path?
> > > I don't think Luis has commit privs, so I went ahead and
> > > committed
> > > this
> > > patch.
> > > 
> > > Yea, a testcase would be great.
> > > 
> > > Jeff
> > > 
> > Does the test suite runned against address sanitization? if yes, I
> > can
> > submit a patch to make this fail, otherwise it is hard to trigger a
> > consistent crash for this issue.
> Unfortunately, no it doesn't run with sanitization.  If it's too
> painful 
> to create a test, don't worry about it.  It happens from time to
> time.
> 
> jeff

I would like to add address sanitization if I knew how GCC autotools
work but I think this is a better fit when I invest some time
implementing something to OSS fuzz and build some infrastructure for
fuzzing parts of the GCC.
  
Eric Gallager Oct. 6, 2021, 1:49 a.m. UTC | #7
On Tue, Oct 5, 2021 at 1:28 PM Luís Ferreira <contact@lsferreira.net> wrote:
>
> On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote:
> >
> >
> > On 10/4/2021 10:52 AM, Luís Ferreira wrote:
> > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote:
> > > >
> > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote:
> > > > > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net>
> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Currently a stack/heap overflow may happen if a crafted
> > > > > > mangle is
> > > > > > maliciously used to cause denial of service, such as
> > > > > > intentional
> > > > > > crashes
> > > > > > by accessing a reserved memory space.
> > > > > >
> > > > > Hi,
> > > > >
> > > > > Thanks for this.  Is there a test that could trigger this code
> > > > > path?
> > > > I don't think Luis has commit privs, so I went ahead and
> > > > committed
> > > > this
> > > > patch.
> > > >
> > > > Yea, a testcase would be great.
> > > >
> > > > Jeff
> > > >
> > > Does the test suite runned against address sanitization? if yes, I
> > > can
> > > submit a patch to make this fail, otherwise it is hard to trigger a
> > > consistent crash for this issue.
> > Unfortunately, no it doesn't run with sanitization.  If it's too
> > painful
> > to create a test, don't worry about it.  It happens from time to
> > time.
> >
> > jeff
>
> I would like to add address sanitization if I knew how GCC autotools
> work but I think this is a better fit when I invest some time
> implementing something to OSS fuzz and build some infrastructure for
> fuzzing parts of the GCC.
>

I can help with the autotools part if you can say how precisely you'd
like to use them to add address sanitization. And as for the OSS
fuzz part, I think someone tried setting up auto-fuzzing for it once,
but the main bottleneck was getting the bug reports that it generated
properly triaged, so if you could make sure the bug-submitting portion
of the process is properly streamlined, that'd probably go a long way
towards helping it be useful.

> --
> Sincerely,
> Luís Ferreira @ lsferreira.net
>
  
Luís Ferreira Oct. 7, 2021, 6:29 p.m. UTC | #8
On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote:
> On Tue, Oct 5, 2021 at 1:28 PM Luís Ferreira <contact@lsferreira.net>
> wrote:
> > 
> > On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote:
> > > 
> > > 
> > > On 10/4/2021 10:52 AM, Luís Ferreira wrote:
> > > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote:
> > > > > 
> > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote:
> > > > > > > On 22/09/2021 03:10 Luís Ferreira
> > > > > > > <contact@lsferreira.net>
> > > > > > > wrote:
> > > > > > > 
> > > > > > > 
> > > > > > > Currently a stack/heap overflow may happen if a crafted
> > > > > > > mangle is
> > > > > > > maliciously used to cause denial of service, such as
> > > > > > > intentional
> > > > > > > crashes
> > > > > > > by accessing a reserved memory space.
> > > > > > > 
> > > > > > Hi,
> > > > > > 
> > > > > > Thanks for this.  Is there a test that could trigger this
> > > > > > code
> > > > > > path?
> > > > > I don't think Luis has commit privs, so I went ahead and
> > > > > committed
> > > > > this
> > > > > patch.
> > > > > 
> > > > > Yea, a testcase would be great.
> > > > > 
> > > > > Jeff
> > > > > 
> > > > Does the test suite runned against address sanitization? if
> > > > yes, I
> > > > can
> > > > submit a patch to make this fail, otherwise it is hard to
> > > > trigger a
> > > > consistent crash for this issue.
> > > Unfortunately, no it doesn't run with sanitization.  If it's too
> > > painful
> > > to create a test, don't worry about it.  It happens from time to
> > > time.
> > > 
> > > jeff
> > 
> > I would like to add address sanitization if I knew how GCC
> > autotools
> > work but I think this is a better fit when I invest some time
> > implementing something to OSS fuzz and build some infrastructure
> > for
> > fuzzing parts of the GCC.
> > 
> 
> I can help with the autotools part if you can say how precisely you'd
> like to use them to add address sanitization. And as for the OSS
> fuzz part, I think someone tried setting up auto-fuzzing for it once,
> but the main bottleneck was getting the bug reports that it generated
> properly triaged, so if you could make sure the bug-submitting
> portion
> of the process is properly streamlined, that'd probably go a long way
> towards helping it be useful.

Bugs are normally reported by email or mailing list. Is there any
writable mailing list to publish bugs or is it strictly needed to open
an entry on bugzilla?
  
Iain Buclaw Oct. 8, 2021, 4:52 p.m. UTC | #9
Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm:
> On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote:
>> 
>> I can help with the autotools part if you can say how precisely you'd
>> like to use them to add address sanitization. And as for the OSS
>> fuzz part, I think someone tried setting up auto-fuzzing for it once,
>> but the main bottleneck was getting the bug reports that it generated
>> properly triaged, so if you could make sure the bug-submitting
>> portion
>> of the process is properly streamlined, that'd probably go a long way
>> towards helping it be useful.
> 
> Bugs are normally reported by email or mailing list. Is there any
> writable mailing list to publish bugs or is it strictly needed to open
> an entry on bugzilla?
> 

Please open an issue on bugzilla, fixes towards it can then be
referenced in the commit message/patch posted here.

Iain.
  
Luís Ferreira Oct. 8, 2021, 5:08 p.m. UTC | #10
On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote:
> Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm:
> > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote:
> > > 
> > > I can help with the autotools part if you can say how precisely
> > > you'd
> > > like to use them to add address sanitization. And as for the OSS
> > > fuzz part, I think someone tried setting up auto-fuzzing for it
> > > once,
> > > but the main bottleneck was getting the bug reports that it
> > > generated
> > > properly triaged, so if you could make sure the bug-submitting
> > > portion
> > > of the process is properly streamlined, that'd probably go a long
> > > way
> > > towards helping it be useful.
> > 
> > Bugs are normally reported by email or mailing list. Is there any
> > writable mailing list to publish bugs or is it strictly needed to
> > open
> > an entry on bugzilla?
> > 
> 
> Please open an issue on bugzilla, fixes towards it can then be
> referenced in the commit message/patch posted here.
> 
> Iain.

You mean for this current issue? The discussion was about future bug
reports reported by the OSS fuzzer workers. I can also open an issue on
the bugzilla for this issue, please clarify it and let me know :)
  
Iain Buclaw Oct. 8, 2021, 8:11 p.m. UTC | #11
Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm:
> On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote:
>> Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm:
>> > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote:
>> > > 
>> > > I can help with the autotools part if you can say how precisely
>> > > you'd
>> > > like to use them to add address sanitization. And as for the OSS
>> > > fuzz part, I think someone tried setting up auto-fuzzing for it
>> > > once,
>> > > but the main bottleneck was getting the bug reports that it
>> > > generated
>> > > properly triaged, so if you could make sure the bug-submitting
>> > > portion
>> > > of the process is properly streamlined, that'd probably go a long
>> > > way
>> > > towards helping it be useful.
>> > 
>> > Bugs are normally reported by email or mailing list. Is there any
>> > writable mailing list to publish bugs or is it strictly needed to
>> > open
>> > an entry on bugzilla?
>> > 
>> 
>> Please open an issue on bugzilla, fixes towards it can then be
>> referenced in the commit message/patch posted here.
>> 
>> Iain.
> 
> You mean for this current issue? The discussion was about future bug
> reports reported by the OSS fuzzer workers. I can also open an issue on
> the bugzilla for this issue, please clarify it and let me know :)
> 

1. Open one for this issue.

2. Bugs found by the fuzzer would report to bugzilla.
https://gcc.gnu.org/bugs/

Iain.
  
Luís Ferreira Oct. 12, 2021, 12:54 p.m. UTC | #12
On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote:
> Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm:
> > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote:
> > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm:
> > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote:
> > > > > 
> > > > > I can help with the autotools part if you can say how precisely
> > > > > you'd
> > > > > like to use them to add address sanitization. And as for the
> > > > > OSS
> > > > > fuzz part, I think someone tried setting up auto-fuzzing for it
> > > > > once,
> > > > > but the main bottleneck was getting the bug reports that it
> > > > > generated
> > > > > properly triaged, so if you could make sure the bug-submitting
> > > > > portion
> > > > > of the process is properly streamlined, that'd probably go a
> > > > > long
> > > > > way
> > > > > towards helping it be useful.
> > > > 
> > > > Bugs are normally reported by email or mailing list. Is there any
> > > > writable mailing list to publish bugs or is it strictly needed to
> > > > open
> > > > an entry on bugzilla?
> > > > 
> > > 
> > > Please open an issue on bugzilla, fixes towards it can then be
> > > referenced in the commit message/patch posted here.
> > > 
> > > Iain.
> > 
> > You mean for this current issue? The discussion was about future bug
> > reports reported by the OSS fuzzer workers. I can also open an issue
> > on
> > the bugzilla for this issue, please clarify it and let me know :)
> > 
> 
> 1. Open one for this issue.
> 
> 2. Bugs found by the fuzzer would report to bugzilla.
> https://gcc.gnu.org/bugs/
> 
> Iain.

Cross referencing the created issue:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702
  
Eric Gallager Oct. 12, 2021, 7:40 p.m. UTC | #13
On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira <contact@lsferreira.net> wrote:
>
> On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote:
> > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm:
> > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote:
> > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm:
> > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote:
> > > > > >
> > > > > > I can help with the autotools part if you can say how precisely
> > > > > > you'd
> > > > > > like to use them to add address sanitization. And as for the
> > > > > > OSS
> > > > > > fuzz part, I think someone tried setting up auto-fuzzing for it
> > > > > > once,
> > > > > > but the main bottleneck was getting the bug reports that it
> > > > > > generated
> > > > > > properly triaged, so if you could make sure the bug-submitting
> > > > > > portion
> > > > > > of the process is properly streamlined, that'd probably go a
> > > > > > long
> > > > > > way
> > > > > > towards helping it be useful.
> > > > >
> > > > > Bugs are normally reported by email or mailing list. Is there any
> > > > > writable mailing list to publish bugs or is it strictly needed to
> > > > > open
> > > > > an entry on bugzilla?
> > > > >
> > > >
> > > > Please open an issue on bugzilla, fixes towards it can then be
> > > > referenced in the commit message/patch posted here.
> > > >
> > > > Iain.
> > >
> > > You mean for this current issue? The discussion was about future bug
> > > reports reported by the OSS fuzzer workers. I can also open an issue
> > > on
> > > the bugzilla for this issue, please clarify it and let me know :)
> > >
> >
> > 1. Open one for this issue.
> >
> > 2. Bugs found by the fuzzer would report to bugzilla.
> > https://gcc.gnu.org/bugs/
> >
> > Iain.
>
> Cross referencing the created issue:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702
>
> --
> Sincerely,
> Luís Ferreira @ lsferreira.net
>

Right, I found the previous time someone tried to set up an autofuzzer
to report bugs to GCC's Bugzilla; searching for bugs reported by
security-tps@google.com on Bugzilla should find them:
https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com&emailassigned_to1=1&emailcc1=1&emaillongdesc1=1&emailreporter1=1&emailtype1=substring&list_id=326459&query_format=advanced
  
Li, Pan2 via Gcc-patches Oct. 12, 2021, 8:25 p.m. UTC | #14
On Tue, 2021-10-12 at 15:40 -0400, Eric Gallager wrote:
> On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira
> <contact@lsferreira.net> wrote:
> > 
> > On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote:
> > > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm:
> > > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote:
> > > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29
> > > > > pm:
> > > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote:
> > > > > > > 
> > > > > > > I can help with the autotools part if you can say how
> > > > > > > precisely
> > > > > > > you'd
> > > > > > > like to use them to add address sanitization. And as for
> > > > > > > the
> > > > > > > OSS
> > > > > > > fuzz part, I think someone tried setting up auto-fuzzing
> > > > > > > for it
> > > > > > > once,
> > > > > > > but the main bottleneck was getting the bug reports that
> > > > > > > it
> > > > > > > generated
> > > > > > > properly triaged, so if you could make sure the bug-
> > > > > > > submitting
> > > > > > > portion
> > > > > > > of the process is properly streamlined, that'd probably
> > > > > > > go a
> > > > > > > long
> > > > > > > way
> > > > > > > towards helping it be useful.
> > > > > > 
> > > > > > Bugs are normally reported by email or mailing list. Is
> > > > > > there any
> > > > > > writable mailing list to publish bugs or is it strictly
> > > > > > needed to
> > > > > > open
> > > > > > an entry on bugzilla?
> > > > > > 
> > > > > 
> > > > > Please open an issue on bugzilla, fixes towards it can then
> > > > > be
> > > > > referenced in the commit message/patch posted here.
> > > > > 
> > > > > Iain.
> > > > 
> > > > You mean for this current issue? The discussion was about
> > > > future bug
> > > > reports reported by the OSS fuzzer workers. I can also open an
> > > > issue
> > > > on
> > > > the bugzilla for this issue, please clarify it and let me know
> > > > :)
> > > > 
> > > 
> > > 1. Open one for this issue.
> > > 
> > > 2. Bugs found by the fuzzer would report to bugzilla.
> > > https://gcc.gnu.org/bugs/
> > > 
> > > Iain.
> > 
> > Cross referencing the created issue:
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702
> > 
> > --
> > Sincerely,
> > Luís Ferreira @ lsferreira.net
> > 
> 
> Right, I found the previous time someone tried to set up an
> autofuzzer
> to report bugs to GCC's Bugzilla; searching for bugs reported by
> security-tps@google.com on Bugzilla should find them:
> https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com&emailassigned_to1=1&emailcc1=1&emaillongdesc1=1&emailreporter1=1&emailtype1=substring&list_id=326459&query_format=advanced

Good! Do you know how and where this is being handled? I didn't find
anything related to GCC/libiberty on OSS fuzz repository. Existing
resources on that can be useful to increment on top instead of
designing something from scratch. I also took a look at the fuzzer
included in GCC, but it doesn't include any heuristic.
  

Patch

diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
index a2152cc65518..7ded3e2a2563 100644
--- a/libiberty/d-demangle.c
+++ b/libiberty/d-demangle.c
@@ -381,7 +381,7 @@  dlang_symbol_backref (string *decl, const char
*mangled,
 
   /* Must point to a simple identifier.  */
   backref = dlang_number (backref, &len);
-  if (backref == NULL)
+  if (backref == NULL || strlen(backref) < len)
     return NULL;