From patchwork Wed Sep 22 01:10:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Lu=C3=ADs_Ferreira?= X-Patchwork-Id: 45266 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 5A61B385843B for ; Wed, 22 Sep 2021 01:10:54 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from 1.mo177.mail-out.ovh.net (1.mo177.mail-out.ovh.net [178.33.107.143]) by sourceware.org (Postfix) with ESMTPS id A835A3858D39 for ; Wed, 22 Sep 2021 01:10:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A835A3858D39 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=lsferreira.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=lsferreira.net Received: from player714.ha.ovh.net (unknown [10.110.208.89]) by mo177.mail-out.ovh.net (Postfix) with ESMTP id 28F861723AF for ; Wed, 22 Sep 2021 03:10:35 +0200 (CEST) Received: from lsferreira.net (252.131.62.94.rev.vodafone.pt [94.62.131.252]) (Authenticated sender: contact@lsferreira.net) by player714.ha.ovh.net (Postfix) with ESMTPSA id 5AA292252B618 for ; Wed, 22 Sep 2021 01:10:35 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-105G006d95142cf-63cb-4cf5-97a9-cd4aaf4418f3, 51BCACF397A78435C2980B098EA17824B0F920D7) smtp.auth=contact@lsferreira.net X-OVh-ClientIp: 94.62.131.252 Message-ID: Subject: [PATCH] libiberty: prevent buffer overflow when decoding user input From: =?iso-8859-1?q?Lu=EDs?= Ferreira To: gcc-patches@gcc.gnu.org Date: Wed, 22 Sep 2021 02:10:34 +0100 User-Agent: Evolution 3.40.4 MIME-Version: 1.0 X-Ovh-Tracer-Id: 9406612248975112215 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvtddrudeiiedgfeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefkuffhrhfvffgtfgggsehgtderredtreejnecuhfhrohhmpefnuhovshcuhfgvrhhrvghirhgruceotghonhhtrggttheslhhsfhgvrhhrvghirhgrrdhnvghtqeenucggtffrrghtthgvrhhnpeeutdduveehjeetheehtddvieffiedugfehgffhfeegtdfhvdegfeefieevveegkeenucfkpheptddrtddrtddrtddpleegrdeivddrudefuddrvdehvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdqohhuthdphhgvlhhopehplhgrhigvrhejudegrdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomheptghonhhtrggttheslhhsfhgvrhhrvghirhgrrdhnvghtpdhrtghpthhtohepghgttgdqphgrthgthhgvshesghgttgdrghhnuhdrohhrgh X-Spam-Status: No, score=-11.8 required=5.0 tests=BAYES_20, GIT_PATCH_0, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: lsferreira@riseup.net Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" Currently a stack/heap overflow may happen if a crafted mangle is maliciously used to cause denial of service, such as intentional crashes by accessing a reserved memory space. Signed-off-by: Luís Ferreira --- libiberty/d-demangle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) backref = dlang_lname (decl, backref, len); diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index a2152cc65518..7ded3e2a2563 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char *mangled, /* Must point to a simple identifier. */ backref = dlang_number (backref, &len); - if (backref == NULL) + if (backref == NULL || strlen(backref) < len) return NULL;