summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/gcc/gcc-6.4/backport/CVE-2016-6131.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/gcc/gcc-6.4/backport/CVE-2016-6131.patch')
-rw-r--r--meta/recipes-devtools/gcc/gcc-6.4/backport/CVE-2016-6131.patch223
1 files changed, 223 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-6.4/backport/CVE-2016-6131.patch b/meta/recipes-devtools/gcc/gcc-6.4/backport/CVE-2016-6131.patch
new file mode 100644
index 0000000000..3cdbb2d171
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-6.4/backport/CVE-2016-6131.patch
@@ -0,0 +1,223 @@
1From 59a0e4bd8391962f62600ae3ac95ab0fba74d464 Mon Sep 17 00:00:00 2001
2From: law <law@138bc75d-0d04-0410-961f-82ee72b054a4>
3Date: Thu, 4 Aug 2016 16:53:18 +0000
4Subject: [PATCH] Fix for PR71696 in Libiberty Demangler
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9[BZ #71696] -- https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
10
112016-08-04 Marcel Böhme <boehme.marcel@gmail.com>
12
13 PR c++/71696
14 * cplus-dem.c: Prevent infinite recursion when there is a cycle
15 in the referencing of remembered mangled types.
16 (work_stuff): New stack to keep track of the remembered mangled
17 types that are currently being processed.
18 (push_processed_type): New method to push currently processed
19 remembered type onto the stack.
20 (pop_processed_type): New method to pop currently processed
21 remembered type from the stack.
22 (work_stuff_copy_to_from): Copy values of new variables.
23 (delete_non_B_K_work_stuff): Free stack memory.
24 (demangle_args): Push/Pop currently processed remembered type.
25 (do_type): Do not demangle a cyclic reference and push/pop
26 referenced remembered type.
27
28cherry-picked from commit of
29git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@239143 138bc75d-0d04-0410-961f-82ee72b054a4
30
31Upstream-Status: Backport [master]
32CVE: CVE-2016-6131
33Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
34---
35 libiberty/ChangeLog | 17 ++++++++
36 libiberty/cplus-dem.c | 78 ++++++++++++++++++++++++++++++++---
37 libiberty/testsuite/demangle-expected | 18 ++++++++
38 3 files changed, 108 insertions(+), 5 deletions(-)
39
40Index: gcc-6.4.0/libiberty/cplus-dem.c
41===================================================================
42--- gcc-6.4.0.orig/libiberty/cplus-dem.c
43+++ gcc-6.4.0/libiberty/cplus-dem.c
44@@ -144,6 +144,9 @@ struct work_stuff
45 string* previous_argument; /* The last function argument demangled. */
46 int nrepeats; /* The number of times to repeat the previous
47 argument. */
48+ int *proctypevec; /* Indices of currently processed remembered typevecs. */
49+ int proctypevec_size;
50+ int nproctypes;
51 };
52
53 #define PRINT_ANSI_QUALIFIERS (work -> options & DMGL_ANSI)
54@@ -435,6 +438,10 @@ iterate_demangle_function (struct work_s
55
56 static void remember_type (struct work_stuff *, const char *, int);
57
58+static void push_processed_type (struct work_stuff *, int);
59+
60+static void pop_processed_type (struct work_stuff *);
61+
62 static void remember_Btype (struct work_stuff *, const char *, int, int);
63
64 static int register_Btype (struct work_stuff *);
65@@ -1301,6 +1308,10 @@ work_stuff_copy_to_from (struct work_stu
66 memcpy (to->btypevec[i], from->btypevec[i], len);
67 }
68
69+ if (from->proctypevec)
70+ to->proctypevec =
71+ XDUPVEC (int, from->proctypevec, from->proctypevec_size);
72+
73 if (from->ntmpl_args)
74 to->tmpl_argvec = XNEWVEC (char *, from->ntmpl_args);
75
76@@ -1329,11 +1340,17 @@ delete_non_B_K_work_stuff (struct work_s
77 /* Discard the remembered types, if any. */
78
79 forget_types (work);
80- if (work -> typevec != NULL)
81+ if (work->typevec != NULL)
82 {
83- free ((char *) work -> typevec);
84- work -> typevec = NULL;
85- work -> typevec_size = 0;
86+ free ((char *) work->typevec);
87+ work->typevec = NULL;
88+ work->typevec_size = 0;
89+ }
90+ if (work->proctypevec != NULL)
91+ {
92+ free (work->proctypevec);
93+ work->proctypevec = NULL;
94+ work->proctypevec_size = 0;
95 }
96 if (work->tmpl_argvec)
97 {
98@@ -3552,6 +3569,8 @@ static int
99 do_type (struct work_stuff *work, const char **mangled, string *result)
100 {
101 int n;
102+ int i;
103+ int is_proctypevec;
104 int done;
105 int success;
106 string decl;
107@@ -3564,6 +3583,7 @@ do_type (struct work_stuff *work, const
108
109 done = 0;
110 success = 1;
111+ is_proctypevec = 0;
112 while (success && !done)
113 {
114 int member;
115@@ -3616,8 +3636,15 @@ do_type (struct work_stuff *work, const
116 success = 0;
117 }
118 else
119+ for (i = 0; i < work->nproctypes; i++)
120+ if (work -> proctypevec [i] == n)
121+ success = 0;
122+
123+ if (success)
124 {
125- remembered_type = work -> typevec[n];
126+ is_proctypevec = 1;
127+ push_processed_type (work, n);
128+ remembered_type = work->typevec[n];
129 mangled = &remembered_type;
130 }
131 break;
132@@ -3840,6 +3867,9 @@ do_type (struct work_stuff *work, const
133 string_delete (result);
134 string_delete (&decl);
135
136+ if (is_proctypevec)
137+ pop_processed_type (work);
138+
139 if (success)
140 /* Assume an integral type, if we're not sure. */
141 return (int) ((tk == tk_none) ? tk_integral : tk);
142@@ -4252,6 +4282,41 @@ do_arg (struct work_stuff *work, const c
143 }
144
145 static void
146+push_processed_type (struct work_stuff *work, int typevec_index)
147+{
148+ if (work->nproctypes >= work->proctypevec_size)
149+ {
150+ if (!work->proctypevec_size)
151+ {
152+ work->proctypevec_size = 4;
153+ work->proctypevec = XNEWVEC (int, work->proctypevec_size);
154+ }
155+ else
156+ {
157+ if (work->proctypevec_size < 16)
158+ /* Double when small. */
159+ work->proctypevec_size *= 2;
160+ else
161+ {
162+ /* Grow slower when large. */
163+ if (work->proctypevec_size > (INT_MAX / 3) * 2)
164+ xmalloc_failed (INT_MAX);
165+ work->proctypevec_size = (work->proctypevec_size * 3 / 2);
166+ }
167+ work->proctypevec
168+ = XRESIZEVEC (int, work->proctypevec, work->proctypevec_size);
169+ }
170+ }
171+ work->proctypevec [work->nproctypes++] = typevec_index;
172+}
173+
174+static void
175+pop_processed_type (struct work_stuff *work)
176+{
177+ work->nproctypes--;
178+}
179+
180+static void
181 remember_type (struct work_stuff *work, const char *start, int len)
182 {
183 char *tem;
184@@ -4515,10 +4580,13 @@ demangle_args (struct work_stuff *work,
185 {
186 string_append (declp, ", ");
187 }
188+ push_processed_type (work, t);
189 if (!do_arg (work, &tem, &arg))
190 {
191+ pop_processed_type (work);
192 return (0);
193 }
194+ pop_processed_type (work);
195 if (PRINT_ARG_TYPES)
196 {
197 string_appends (declp, &arg);
198Index: gcc-6.4.0/libiberty/testsuite/demangle-expected
199===================================================================
200--- gcc-6.4.0.orig/libiberty/testsuite/demangle-expected
201+++ gcc-6.4.0/libiberty/testsuite/demangle-expected
202@@ -4491,3 +4491,21 @@ void eat<int*, Foo()::{lambda(auto:1*, a
203
204 _Z3eatIPiZ3BarIsEvvEUlPsPT_PT0_E0_EvRS3_RS5_
205 void eat<int*, void Bar<short>()::{lambda(short*, auto:1*, auto:2*)#2}>(int*&, void Bar<short>()::{lambda(short*, auto:1*, auto:2*)#2}&)
206+#
207+# Tests write access violation PR70926
208+
209+0__Ot2m02R5T0000500000
210+0__Ot2m02R5T0000500000
211+#
212+
213+0__GT50000000000_
214+0__GT50000000000_
215+#
216+
217+__t2m05B500000000000000000_
218+__t2m05B500000000000000000_
219+#
220+# Tests stack overflow PR71696
221+
222+__10%0__S4_0T0T0
223+%0<>::%0(%0<>)