aboutsummaryrefslogtreecommitdiff
path: root/libiberty/cp-demangle.c
diff options
context:
space:
mode:
authorMark Wielaard <mark@klomp.org>2016-11-15 19:31:59 +0000
committerMark Wielaard <mark@klomp.org>2016-11-18 11:06:18 +0100
commitddc5804ebd4b2be29ad4e3e259f5c6e907f34f26 (patch)
tree9c865971acdc8f9f31dcab1d34e4e88c98569507 /libiberty/cp-demangle.c
parent1706852c3c6c1d39f949c933d37647d02509b9cb (diff)
downloadgdb-ddc5804ebd4b2be29ad4e3e259f5c6e907f34f26.zip
gdb-ddc5804ebd4b2be29ad4e3e259f5c6e907f34f26.tar.gz
gdb-ddc5804ebd4b2be29ad4e3e259f5c6e907f34f26.tar.bz2
libiberty: demangler crash with missing :? or fold expression component.
When constructing an :? or fold expression that requires a third expression only the first and second were explicitly checked to not be NULL. Since the third expression is also required in these constructs it needs to be explicitly checked and rejected when missing. Otherwise the demangler will crash once it tries to d_print the NULL component. Added two examples to demangle-expected of strings that would crash before this fix. Found by American Fuzzy Lop (afl) fuzzer.
Diffstat (limited to 'libiberty/cp-demangle.c')
-rw-r--r--libiberty/cp-demangle.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index e239155..45663fe 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -3415,6 +3415,8 @@ d_expression_1 (struct d_info *di)
first = d_expression_1 (di);
second = d_expression_1 (di);
third = d_expression_1 (di);
+ if (third == NULL)
+ return NULL;
}
else if (code[0] == 'f')
{
@@ -3422,6 +3424,8 @@ d_expression_1 (struct d_info *di)
first = d_operator_name (di);
second = d_expression_1 (di);
third = d_expression_1 (di);
+ if (third == NULL)
+ return NULL;
}
else if (code[0] == 'n')
{