diff options
author | Nico Weber <nicolasweber@gmx.de> | 2019-04-21 16:58:25 +0000 |
---|---|---|
committer | Nico Weber <nicolasweber@gmx.de> | 2019-04-21 16:58:25 +0000 |
commit | 8fc9902bbb0d48c75fe33627641f14c9c3e09e25 (patch) | |
tree | a24bb046dba5692a497126818da41f5b2c0663a8 /llvm/lib/Demangle | |
parent | 198ab6013678e35d6b6cbd9cefad84691ff358b2 (diff) | |
download | bcm5719-llvm-8fc9902bbb0d48c75fe33627641f14c9c3e09e25.tar.gz bcm5719-llvm-8fc9902bbb0d48c75fe33627641f14c9c3e09e25.zip |
llvm-undname: Fix stack overflow on almost-valid
If a unsigned with all 4 bytes non-0 was passed to outputHex(), there
were two off-by-ones in it:
- Both MaxPos and Pos left space for the final \0, which left the buffer
one byte to small. Set MaxPos to 16 instead of 15 to fix.
- The `assert(Pos >= 0);` was after a `Pos--`, move it up one line.
Since valid Unicode codepoints are <= 0x10ffff, this could never really
happen in practice.
Found by oss-fuzz.
llvm-svn: 358856
Diffstat (limited to 'llvm/lib/Demangle')
-rw-r--r-- | llvm/lib/Demangle/MicrosoftDemangle.cpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/llvm/lib/Demangle/MicrosoftDemangle.cpp b/llvm/lib/Demangle/MicrosoftDemangle.cpp index b421f2a7f93..01a742a874e 100644 --- a/llvm/lib/Demangle/MicrosoftDemangle.cpp +++ b/llvm/lib/Demangle/MicrosoftDemangle.cpp @@ -1071,17 +1071,17 @@ static void outputHex(OutputStream &OS, unsigned C) { char TempBuffer[17]; ::memset(TempBuffer, 0, sizeof(TempBuffer)); - constexpr int MaxPos = 15; + constexpr int MaxPos = sizeof(TempBuffer) - 1; - int Pos = MaxPos - 1; + int Pos = MaxPos - 1; // TempBuffer[MaxPos] is the terminating \0. while (C != 0) { for (int I = 0; I < 2; ++I) { writeHexDigit(&TempBuffer[Pos--], C % 16); C /= 16; } TempBuffer[Pos--] = 'x'; - TempBuffer[Pos--] = '\\'; assert(Pos >= 0); + TempBuffer[Pos--] = '\\'; } OS << StringView(&TempBuffer[Pos + 1]); } |