From 256db4b799a7c6e01d5210099f403b1bf124e2ba Mon Sep 17 00:00:00 2001
From: Erik Pilkington <erik.pilkington@gmail.com>
Date: Sat, 28 Jul 2018 04:06:30 +0000
Subject: [demangler] Fix an oss-fuzz bug from r338138

Stack overflow on invalid. While collapsing references, we were skipping over a
cycle check in ForwardTemplateReference leading to a stack overflow. This commit
fixes the problem by duplicating the cycle check in ReferenceType.

llvm-svn: 338190
---
 llvm/lib/Demangle/ItaniumDemangle.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'llvm/lib')

diff --git a/llvm/lib/Demangle/ItaniumDemangle.cpp b/llvm/lib/Demangle/ItaniumDemangle.cpp
index 5bfd2e6ff87..72e4b56c05e 100644
--- a/llvm/lib/Demangle/ItaniumDemangle.cpp
+++ b/llvm/lib/Demangle/ItaniumDemangle.cpp
@@ -450,6 +450,8 @@ class ReferenceType : public Node {
   const Node *Pointee;
   ReferenceKind RK;
 
+  mutable bool Printing = false;
+
   // Dig through any refs to refs, collapsing the ReferenceTypes as we go. The
   // rule here is rvalue ref to rvalue ref collapses to a rvalue ref, and any
   // other combination collapses to a lvalue ref.
@@ -476,6 +478,9 @@ public:
   }
 
   void printLeft(OutputStream &s) const override {
+    if (Printing)
+      return;
+    SwapAndRestore<bool> SavePrinting(Printing, true);
     std::pair<ReferenceKind, const Node *> Collapsed = collapse(s);
     Collapsed.second->printLeft(s);
     if (Collapsed.second->hasArray(s))
@@ -486,6 +491,9 @@ public:
     s += (Collapsed.first == ReferenceKind::LValue ? "&" : "&&");
   }
   void printRight(OutputStream &s) const override {
+    if (Printing)
+      return;
+    SwapAndRestore<bool> SavePrinting(Printing, true);
     std::pair<ReferenceKind, const Node *> Collapsed = collapse(s);
     if (Collapsed.second->hasArray(s) || Collapsed.second->hasFunction(s))
       s += ")";
-- 
cgit v1.2.3