diff options
| author | Erik Pilkington <erik.pilkington@gmail.com> | 2018-07-28 04:06:30 +0000 |
|---|---|---|
| committer | Erik Pilkington <erik.pilkington@gmail.com> | 2018-07-28 04:06:30 +0000 |
| commit | 256db4b799a7c6e01d5210099f403b1bf124e2ba (patch) | |
| tree | 303df3c8a45d0206a42694527ed93dbdf73785f0 | |
| parent | a6b5e0036128acfb0950f567cc83d351a5218fd6 (diff) | |
| download | bcm5719-llvm-256db4b799a7c6e01d5210099f403b1bf124e2ba.tar.gz bcm5719-llvm-256db4b799a7c6e01d5210099f403b1bf124e2ba.zip | |
[demangler] Fix an oss-fuzz bug from r338138
Stack overflow on invalid. While collapsing references, we were skipping over a
cycle check in ForwardTemplateReference leading to a stack overflow. This commit
fixes the problem by duplicating the cycle check in ReferenceType.
llvm-svn: 338190
| -rw-r--r-- | libcxxabi/src/cxa_demangle.cpp | 8 | ||||
| -rw-r--r-- | llvm/lib/Demangle/ItaniumDemangle.cpp | 8 |
2 files changed, 16 insertions, 0 deletions
diff --git a/libcxxabi/src/cxa_demangle.cpp b/libcxxabi/src/cxa_demangle.cpp index 08a2b2bf646..1007d7efaef 100644 --- a/libcxxabi/src/cxa_demangle.cpp +++ b/libcxxabi/src/cxa_demangle.cpp @@ -461,6 +461,8 @@ class ReferenceType : public Node { const Node *Pointee; ReferenceKind RK; + mutable bool Printing = false; + // Dig through any refs to refs, collapsing the ReferenceTypes as we go. The // rule here is rvalue ref to rvalue ref collapses to a rvalue ref, and any // other combination collapses to a lvalue ref. @@ -487,6 +489,9 @@ public: } void printLeft(OutputStream &s) const override { + if (Printing) + return; + SwapAndRestore<bool> SavePrinting(Printing, true); std::pair<ReferenceKind, const Node *> Collapsed = collapse(s); Collapsed.second->printLeft(s); if (Collapsed.second->hasArray(s)) @@ -497,6 +502,9 @@ public: s += (Collapsed.first == ReferenceKind::LValue ? "&" : "&&"); } void printRight(OutputStream &s) const override { + if (Printing) + return; + SwapAndRestore<bool> SavePrinting(Printing, true); std::pair<ReferenceKind, const Node *> Collapsed = collapse(s); if (Collapsed.second->hasArray(s) || Collapsed.second->hasFunction(s)) s += ")"; diff --git a/llvm/lib/Demangle/ItaniumDemangle.cpp b/llvm/lib/Demangle/ItaniumDemangle.cpp index 5bfd2e6ff87..72e4b56c05e 100644 --- a/llvm/lib/Demangle/ItaniumDemangle.cpp +++ b/llvm/lib/Demangle/ItaniumDemangle.cpp @@ -450,6 +450,8 @@ class ReferenceType : public Node { const Node *Pointee; ReferenceKind RK; + mutable bool Printing = false; + // Dig through any refs to refs, collapsing the ReferenceTypes as we go. The // rule here is rvalue ref to rvalue ref collapses to a rvalue ref, and any // other combination collapses to a lvalue ref. @@ -476,6 +478,9 @@ public: } void printLeft(OutputStream &s) const override { + if (Printing) + return; + SwapAndRestore<bool> SavePrinting(Printing, true); std::pair<ReferenceKind, const Node *> Collapsed = collapse(s); Collapsed.second->printLeft(s); if (Collapsed.second->hasArray(s)) @@ -486,6 +491,9 @@ public: s += (Collapsed.first == ReferenceKind::LValue ? "&" : "&&"); } void printRight(OutputStream &s) const override { + if (Printing) + return; + SwapAndRestore<bool> SavePrinting(Printing, true); std::pair<ReferenceKind, const Node *> Collapsed = collapse(s); if (Collapsed.second->hasArray(s) || Collapsed.second->hasFunction(s)) s += ")"; |
