summaryrefslogtreecommitdiffstats
path: root/llvm/lib/Demangle
diff options
context:
space:
mode:
authorNico Weber <nicolasweber@gmx.de>2019-04-21 16:58:25 +0000
committerNico Weber <nicolasweber@gmx.de>2019-04-21 16:58:25 +0000
commit8fc9902bbb0d48c75fe33627641f14c9c3e09e25 (patch)
treea24bb046dba5692a497126818da41f5b2c0663a8 /llvm/lib/Demangle
parent198ab6013678e35d6b6cbd9cefad84691ff358b2 (diff)
downloadbcm5719-llvm-8fc9902bbb0d48c75fe33627641f14c9c3e09e25.tar.gz
bcm5719-llvm-8fc9902bbb0d48c75fe33627641f14c9c3e09e25.zip
llvm-undname: Fix stack overflow on almost-valid
If a unsigned with all 4 bytes non-0 was passed to outputHex(), there were two off-by-ones in it: - Both MaxPos and Pos left space for the final \0, which left the buffer one byte to small. Set MaxPos to 16 instead of 15 to fix. - The `assert(Pos >= 0);` was after a `Pos--`, move it up one line. Since valid Unicode codepoints are <= 0x10ffff, this could never really happen in practice. Found by oss-fuzz. llvm-svn: 358856
Diffstat (limited to 'llvm/lib/Demangle')
-rw-r--r--llvm/lib/Demangle/MicrosoftDemangle.cpp6
1 files changed, 3 insertions, 3 deletions
diff --git a/llvm/lib/Demangle/MicrosoftDemangle.cpp b/llvm/lib/Demangle/MicrosoftDemangle.cpp
index b421f2a7f93..01a742a874e 100644
--- a/llvm/lib/Demangle/MicrosoftDemangle.cpp
+++ b/llvm/lib/Demangle/MicrosoftDemangle.cpp
@@ -1071,17 +1071,17 @@ static void outputHex(OutputStream &OS, unsigned C) {
char TempBuffer[17];
::memset(TempBuffer, 0, sizeof(TempBuffer));
- constexpr int MaxPos = 15;
+ constexpr int MaxPos = sizeof(TempBuffer) - 1;
- int Pos = MaxPos - 1;
+ int Pos = MaxPos - 1; // TempBuffer[MaxPos] is the terminating \0.
while (C != 0) {
for (int I = 0; I < 2; ++I) {
writeHexDigit(&TempBuffer[Pos--], C % 16);
C /= 16;
}
TempBuffer[Pos--] = 'x';
- TempBuffer[Pos--] = '\\';
assert(Pos >= 0);
+ TempBuffer[Pos--] = '\\';
}
OS << StringView(&TempBuffer[Pos + 1]);
}
OpenPOWER on IntegriCloud