From patchwork Fri May 26 15:48:27 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Iain Buclaw <ibuclaw@gdcproject.org>
X-Patchwork-Id: 767439
Return-Path: 
 <gcc-patches-return-454550-incoming=patchwork.ozlabs.org@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3wZ9Xw1DGmz9s82
	for <incoming@patchwork.ozlabs.org>;
	Sat, 27 May 2017 01:49:03 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org
	header.b="pXpRWMow"; dkim-atps=neutral
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender
	:mime-version:from:date:message-id:subject:to:content-type; q=
	dns; s=default; b=q9C0UXuCe6yVPwEtUvgJGGLuInMKQW214U3N42DWq+3q9f
	O23SdnPzUAdZ04xZuM24qlbmF6af4ZbZgtlWk76HwgMMHyLA5dcekXnZdIf9cmui
	kIt1hjfFRh7ga46MMVvQjvNPWxyiB3PCUx99NbhkH7+SVST6xY/Wbq6znnWS8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender
	:mime-version:from:date:message-id:subject:to:content-type; s=
	default; bh=gAvnIhHx4I9uiT9zor5ksIqogyg=; b=pXpRWMowKdF2ZijzvP7y
	RTIikOEQ/6HstG6zZaBIeRqBhRjpd68Z4W379W2+RhsjaTpM4D3L43TPbpuL7sTx
	aZIfpYVMj3k8HexUxI41mhsBPEqb5Y5lENF8obIOKiH8FPz2dugGehx5Zn+JjtDO
	9feIvlrStVmof29lwKWOPpA=
Received: (qmail 19178 invoked by alias); 26 May 2017 15:48:42 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Unsubscribe: 
 <mailto:gcc-patches-unsubscribe-incoming=patchwork.ozlabs.org@gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Delivered-To: mailing list gcc-patches@gcc.gnu.org
Received: (qmail 15028 invoked by uid 89); 26 May 2017 15:48:34 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.7 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE,
	SPF_PASS autolearn=ham version=3.3.2 spammy=10259, abnormally
X-HELO: mail-ua0-f179.google.com
Received: from mail-ua0-f179.google.com (HELO mail-ua0-f179.google.com)
	(209.85.217.179) by sourceware.org
	(qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Fri, 26 May 2017 15:48:32 +0000
Received: by mail-ua0-f179.google.com with SMTP id j17so8372945uag.3 for
	<gcc-patches@gcc.gnu.org>; Fri, 26 May 2017 08:48:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net;
	s=20161025;
	h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
	:to; bh=Q7dNus9X9YQp/NEH+cPG2JF3fuSXtEYlVteCisZa9C4=;
	b=KRf/xN0WXpe130euD38SE0/YGXKvb6zrGnY/rmD1DOhU6zJ3HhJNUHOKljxpwrnnrm
	1KfXHztiUDDXUnrATZ1uUgUaRSA35PC6uTrLmT1mjJSQsa/T5zC8MyYnatJ2OT6DPvG0
	6X6om/g2X1FVPO98QX9xL7ycDkGtexKqMgy8lA3IASswr4btGnCrLHo0w27D17a2oFx4
	USnnzOyD3Y3pU77J0PWtG0dRcvqpBzLLOWyXjIFlKlrTbH5NCg4w9XFyyhm+GUWA775O
	ywn8H40myvEHnvRl2wMh74qEhd/EVEc+3zHU+VhefXqUkw0GteUtPicrXFZCmB4/YISh
	ba7g==
X-Gm-Message-State: AODbwcDPZyEQfcX7tKHeF9fln3OHHXrzXFNVdPdRNm7Fshaa+6naXGpy
	1mEl6WGmmWYaY5Bz6GwV2h4bHU4AgQ==
X-Received: by 10.176.2.113 with SMTP id 104mr1388487uas.9.1495813707896;
	Fri, 26 May 2017 08:48:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.96.201 with HTTP; Fri, 26 May 2017 08:48:27 -0700 (PDT)
From: Iain Buclaw <ibuclaw@gdcproject.org>
Date: Fri, 26 May 2017 17:48:27 +0200
Message-ID: 
 <CABOHX+cqkwEevy1T4VhP7w8y0F6WBzUcBcaEWXzqaiVmceqAKw@mail.gmail.com>
Subject: [PATCH 1/3] [D] libiberty: Remove stack buffer in dlang_parse_real
To: gcc-patches <gcc-patches@gcc.gnu.org>
X-IsSubscribed: yes

Hi,

This patch fixes a problem in the D demangler where an abnormally long
mangled floating point literal would cause the program write past the
allocated stack buffer.   This should never happen with a valid D
symbol, but we should be able to handle anything thrown at us.

commit 62d51a8de1fa6543f11ff0d9f97b3ce714023089
Author: Iain Buclaw <ibuclaw@gdcproject.org>
Date:   Fri May 26 15:29:50 2017 +0200

    libiberty/ChangeLog:
    
    2017-05-26  Iain Buclaw  <ibuclaw@gdcproject.org>
    
            * d-demangle.c (dlang_parse_real): Remove stack buffer, write
            the demangled hexadecimal directly to string.
            * testsuite/d-demangle-expected: Add tests.

diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
index ec5508e2777..030cab3333f 100644
--- a/libiberty/d-demangle.c
+++ b/libiberty/d-demangle.c
@@ -1025,9 +1025,6 @@ dlang_parse_integer (string *decl, const char *mangled, char type)
 static const char *
 dlang_parse_real (string *decl, const char *mangled)
 {
-  char buffer[64];
-  int len = 0;
-
   /* Handle NAN and +-INF.  */
   if (strncmp (mangled, "NAN", 3) == 0)
     {
@@ -1051,23 +1048,22 @@ dlang_parse_real (string *decl, const char *mangled)
   /* Hexadecimal prefix and leading bit.  */
   if (*mangled == 'N')
     {
-      buffer[len++] = '-';
+      string_append (decl, "-");
       mangled++;
     }
 
   if (!ISXDIGIT (*mangled))
     return NULL;
 
-  buffer[len++] = '0';
-  buffer[len++] = 'x';
-  buffer[len++] = *mangled;
-  buffer[len++] = '.';
+  string_append (decl, "0x");
+  string_appendn (decl, mangled, 1);
+  string_append (decl, ".");
   mangled++;
 
   /* Significand.  */
   while (ISXDIGIT (*mangled))
     {
-      buffer[len++] = *mangled;
+      string_appendn (decl, mangled, 1);
       mangled++;
     }
 
@@ -1075,26 +1071,21 @@ dlang_parse_real (string *decl, const char *mangled)
   if (*mangled != 'P')
     return NULL;
 
-  buffer[len++] = 'p';
+  string_append (decl, "p");
   mangled++;
 
   if (*mangled == 'N')
     {
-      buffer[len++] = '-';
+      string_append (decl, "-");
       mangled++;
     }
 
   while (ISDIGIT (*mangled))
     {
-      buffer[len++] = *mangled;
+      string_appendn (decl, mangled, 1);
       mangled++;
     }
 
-  /* Write out the demangled hexadecimal, rather than trying to
-     convert the buffer into a floating-point value.  */
-  buffer[len] = '\0';
-  len = strlen (buffer);
-  string_appendn (decl, buffer, len);
   return mangled;
 }
 
diff --git a/libiberty/testsuite/d-demangle-expected b/libiberty/testsuite/d-demangle-expected
index 626d7c2d980..950d4955d8f 100644
--- a/libiberty/testsuite/d-demangle-expected
+++ b/libiberty/testsuite/d-demangle-expected
@@ -838,6 +838,10 @@ _D8demangle52__T4testVrcN0C4CCCCCCCCCCCCCDP4c0B666666666666666P6Zv
 demangle.test!(-0x0.C4CCCCCCCCCCCCCDp4+0x0.B666666666666666p6i)
 #
 --format=dlang
+_D8demangle91__T4testVde000111222333444555666777888999AAABBBCCCDDDEEEFFFP000111222333444555666777888999Zv
+demangle.test!(0x0.00111222333444555666777888999AAABBBCCCDDDEEEFFFp000111222333444555666777888999)
+#
+--format=dlang
 _D8demangle22__T4testVG3ua3_616263Zv
 demangle.test!("abc")
 #