debian/0000775000000000000000000000000013117542426007175 5ustar debian/control0000664000000000000000000000144013115775673010611 0ustar Source: libiberty Section: libdevel Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian GCC Maintainers Uploaders: Matthias Klose Build-Depends: debhelper (>= 8.0.0) Standards-Version: 3.9.4 Homepage: http://gcc.gnu.org/ Package: libiberty-dev Architecture: any Multi-Arch: same Depends: ${shlibs:Depends}, ${misc:Depends} Description: library of utility functions used by GNU programs The libib library is a collection of subroutines used by various GNU programs, which are missing or broken on some systems. . This library shouldn't be used by other software, but unfortunately already is. There is no guaranty for a stable library API, and no shared library is provided. debian/README.source0000664000000000000000000000046512241753361011360 0ustar libiberty for Debian -------------------- The source is a copy from the GCC upstream tree, consisting of the following files and subdirectories config.guess config.sub install-sh mkinstalldirs config/ include/ libiberty/ -- Matthias Klose Sat, 16 Nov 2013 19:30:20 +0000 debian/changelog0000664000000000000000000000436713117542426011061 0ustar libiberty (20131116-1ubuntu0.2) trusty-security; urgency=medium * SECURITY UPDATE: integer overflow in string_appends - debian/patches/CVE-2016-2226.patch: check for overflow in libiberty/cplus-dem.c. - CVE-2016-2226 * SECURITY UPDATE: use-after-free vulberabilities - debian/patches/CVE-2016-4487_4488.patch: set bsize and ksize in libiberty/cplus-dem.c, added test to libiberty/testsuite/demangle-expected. - CVE-2016-4487 - CVE-2016-4488 * SECURITY UPDATE: integer overflow in gnu_special - debian/patches/CVE-2016-4489.patch: handle case where consume_count returns -1 in libiberty/cplus-dem.c. - CVE-2016-4489 * SECURITY UPDATE: integer overflow after sanity checks - debian/patches/CVE-2016-4490.patch: parse numbers as integer instead of long in libiberty/cp-demangle.c, added test to libiberty/testsuite/demangle-expected. - CVE-2016-4490 * SECURITY UPDATE: denial of service via infinite recursion - debian/patches/CVE-2016-4491-pre.patch: limit recursion in libiberty/cp-demangle.c, added test to libiberty/testsuite/demangle-expected. - debian/patches/CVE-2016-4491-1.patch: limit recursion in include/demangle.h, libiberty/cp-demangle.c, libiberty/cp-demint.c, added test to libiberty/testsuite/demangle-expected. - debian/patches/CVE-2016-4491-2.patch: limit more recursion in libiberty/cp-demangle.c. - debian/patches/CVE-2016-4491-3.patch: initialize d_printing in libiberty/cp-demangle.c. - CVE-2016-4491 * SECURITY UPDATE: buffer overflow in do_type - debian/patches/CVE-2016-4492_4493.patch: properly handle large values and overflow in libiberty/cplus-dem.c, added test to libiberty/testsuite/demangle-expected. - CVE-2016-4492 - CVE-2016-4493 * SECURITY UPDATE: denial of service via infinite recursion - debian/patches/CVE-2016-6131.patch: prevent infinite recursion in libiberty/cplus-dem.c, added test to libiberty/testsuite/demangle-expected. - CVE-2016-6131 -- Marc Deslauriers Mon, 12 Jun 2017 12:44:40 -0400 libiberty (20131116-1) unstable; urgency=low * Initial release. -- Matthias Klose Sat, 16 Nov 2013 19:30:20 +0000 debian/source/0000775000000000000000000000000012241743716010477 5ustar debian/source/format0000664000000000000000000000001412241743716011705 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000212241744714010374 0ustar 7 debian/patches/0000775000000000000000000000000013117542366010627 5ustar debian/patches/CVE-2016-4491-3.patch0000664000000000000000000000576013117542366013422 0ustar From cb987b84fd492260ef448988dec9f3fe377c4e23 Mon Sep 17 00:00:00 2001 From: mark Date: Mon, 13 Mar 2017 18:26:47 +0000 Subject: [PATCH] libiberty: Initialize d_printing in all cplus_demangle_fill_* functions. While integrating the d_printing recursion guard change into gdb I noticed we forgot to initialize the demangle_component d_printing field in cplus_demangle_fill_{name,extended_operator,ctor,dtor}. As is done in cplus_demangle_fill_{component,builtin_type,operator}. It happened to work because in gcc all demangle_components were allocated through d_make_empty. But gdb has its own allocation mechanism (as might other users). libiberty/ChangeLog: * cp-demangle.c (cplus_demangle_fill_name): Initialize demangle_component d_printing. (cplus_demangle_fill_extended_operator): Likewise. (cplus_demangle_fill_ctor): Likewise. (cplus_demangle_fill_dtor): Likewise. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@246105 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 8 ++++++++ libiberty/cp-demangle.c | 4 ++++ 2 files changed, 12 insertions(+) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index e93e327749da..b513fcefe3ef 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,3 +1,11 @@ #+2017-03-12 Mark Wielaard #+ #+ * cp-demangle.c (cplus_demangle_fill_name): Initialize #+ demangle_component d_printing. #+ (cplus_demangle_fill_extended_operator): Likewise. #+ (cplus_demangle_fill_ctor): Likewise. #+ (cplus_demangle_fill_dtor): Likewise. #+ # 2017-03-08 Mark Wielaard # # PR demangler/70909 Index: libiberty-20131116/libiberty/cp-demangle.c =================================================================== --- libiberty-20131116.orig/libiberty/cp-demangle.c 2017-06-12 12:44:36.558960373 -0400 +++ libiberty-20131116/libiberty/cp-demangle.c 2017-06-12 12:44:36.554960324 -0400 @@ -781,6 +781,7 @@ cplus_demangle_fill_name (struct demangl { if (p == NULL || s == NULL || len == 0) return 0; + p->d_printing = 0; p->type = DEMANGLE_COMPONENT_NAME; p->u.s_name.s = s; p->u.s_name.len = len; @@ -796,6 +797,7 @@ cplus_demangle_fill_extended_operator (s { if (p == NULL || args < 0 || name == NULL) return 0; + p->d_printing = 0; p->type = DEMANGLE_COMPONENT_EXTENDED_OPERATOR; p->u.s_extended_operator.args = args; p->u.s_extended_operator.name = name; @@ -815,6 +817,7 @@ cplus_demangle_fill_ctor (struct demangl || (int) kind < gnu_v3_complete_object_ctor || (int) kind > gnu_v3_object_ctor_group) return 0; + p->d_printing = 0; p->type = DEMANGLE_COMPONENT_CTOR; p->u.s_ctor.kind = kind; p->u.s_ctor.name = name; @@ -834,6 +837,7 @@ cplus_demangle_fill_dtor (struct demangl || (int) kind < gnu_v3_deleting_dtor || (int) kind > gnu_v3_object_dtor_group) return 0; + p->d_printing = 0; p->type = DEMANGLE_COMPONENT_DTOR; p->u.s_dtor.kind = kind; p->u.s_dtor.name = name; debian/patches/CVE-2016-4489.patch0000664000000000000000000000305413115773562013265 0ustar From 053ec2207203a194d2ae82e2f164009aad3f14d2 Mon Sep 17 00:00:00 2001 From: bernds Date: Fri, 8 Apr 2016 12:06:59 +0000 Subject: [PATCH] =?utf8?q?Handle=20an=20overflow=20case=20(PR70498,=20patc?= =?utf8?q?h=20by=20Marcel=20B=C3=B6hme).?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit PR c++/70498 * cplus-dem.c (gnu_special): Handle case where consume_count returns -1. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234828 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 6 ++++++ libiberty/cplus-dem.c | 5 +++++ 2 files changed, 11 insertions(+) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index 1e59c53..8e82a5f 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,3 +1,9 @@ #+2016-04-08 Marcel Böhme #+ #+ PR c++/70498 #+ * cplus-dem.c (gnu_special): Handle case where consume_count returns #+ -1. #+ # 2016-03-31 Mikhail Maltsev # Marcel Bohme boehme.marcel@gmail.com # Index: libiberty-20131116/libiberty/cplus-dem.c =================================================================== --- libiberty-20131116.orig/libiberty/cplus-dem.c 2017-06-07 08:54:07.891182731 -0400 +++ libiberty-20131116/libiberty/cplus-dem.c 2017-06-07 08:54:07.887182701 -0400 @@ -2990,6 +2990,11 @@ gnu_special (struct work_stuff *work, co success = 1; break; } + else if (n == -1) + { + success = 0; + break; + } } else { debian/patches/CVE-2016-2226.patch0000664000000000000000000000602113115773366013247 0ustar From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001 From: bernds Date: Fri, 8 Apr 2016 12:10:21 +0000 Subject: [PATCH] =?utf8?q?Fix=20memory=20allocation=20size=20overflows=20(?= =?utf8?q?PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit PR c++/69687 * cplus-dem.c: Include if available. (INT_MAX): Define if necessary. (remember_type, remember_Ktype, register_Btype, string_need): Abort if we detect cases where we the size of the allocation would overflow. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 7 +++++++ libiberty/cplus-dem.c | 15 +++++++++++++++ 2 files changed, 22 insertions(+) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index 8e82a5f..2a34356 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,5 +1,12 @@ # 2016-04-08 Marcel Böhme # #+ PR c++/69687 #+ * cplus-dem.c: Include if available. #+ (INT_MAX): Define if necessary. #+ (remember_type, remember_Ktype, register_Btype, string_need): #+ Abort if we detect cases where we the size of the allocation would #+ overflow. #+ # PR c++/70498 # * cplus-dem.c (gnu_special): Handle case where consume_count returns # -1. Index: libiberty-20131116/libiberty/cplus-dem.c =================================================================== --- libiberty-20131116.orig/libiberty/cplus-dem.c 2017-06-07 08:52:04.572468201 -0400 +++ libiberty-20131116/libiberty/cplus-dem.c 2017-06-07 08:52:04.572468201 -0400 @@ -56,6 +56,13 @@ void * malloc (); void * realloc (); #endif +#ifdef HAVE_LIMITS_H +#include +#endif +#ifndef INT_MAX +# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ +#endif + #include #undef CURRENT_DEMANGLING_STYLE #define CURRENT_DEMANGLING_STYLE work->options @@ -4231,6 +4238,8 @@ remember_type (struct work_stuff *work, } else { + if (work -> typevec_size > INT_MAX / 2) + xmalloc_failed (INT_MAX); work -> typevec_size *= 2; work -> typevec = XRESIZEVEC (char *, work->typevec, work->typevec_size); @@ -4258,6 +4267,8 @@ remember_Ktype (struct work_stuff *work, } else { + if (work -> ksize > INT_MAX / 2) + xmalloc_failed (INT_MAX); work -> ksize *= 2; work -> ktypevec = XRESIZEVEC (char *, work->ktypevec, work->ksize); @@ -4287,6 +4298,8 @@ register_Btype (struct work_stuff *work) } else { + if (work -> bsize > INT_MAX / 2) + xmalloc_failed (INT_MAX); work -> bsize *= 2; work -> btypevec = XRESIZEVEC (char *, work->btypevec, work->bsize); @@ -4741,6 +4754,8 @@ string_need (string *s, int n) else if (s->e - s->p < n) { tem = s->p - s->b; + if (n > INT_MAX / 2 - tem) + xmalloc_failed (INT_MAX); n += tem; n *= 2; s->b = XRESIZEVEC (char, s->b, n); debian/patches/CVE-2016-4492_4493.patch0000664000000000000000000000676213115773761013754 0ustar From b6616075cb48d42a28cc78ca1c66127b671b361c Mon Sep 17 00:00:00 2001 From: law Date: Wed, 13 Jul 2016 22:06:09 +0000 Subject: [PATCH] PR c++/70926 * cplus-dem.c: Handle large values and overflow when demangling length variables. (demangle_template_value_parm): Read only until end of mangled string. (do_hpacc_template_literal): Likewise. (do_type): Handle overflow when demangling array indices. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@238313 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 9 +++++++++ libiberty/cplus-dem.c | 10 ++++++---- libiberty/testsuite/demangle-expected | 13 +++++++++++++ 3 files changed, 28 insertions(+), 4 deletions(-) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index 45b312b..317bd63 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,3 +1,12 @@ #+2016-07-13 Marcel BÃhme #+ #+ PR c++/70926 #+ * cplus-dem.c: Handle large values and overflow when demangling #+ length variables. #+ (demangle_template_value_parm): Read only until end of mangled string. #+ (do_hpacc_template_literal): Likewise. #+ (do_type): Handle overflow when demangling array indices. #+ # 2016-06-12 Brooks Moses # # * cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length Index: libiberty-20131116/libiberty/cplus-dem.c =================================================================== --- libiberty-20131116.orig/libiberty/cplus-dem.c 2017-06-07 08:56:15.093769211 -0400 +++ libiberty-20131116/libiberty/cplus-dem.c 2017-06-07 08:56:15.061752942 -0400 @@ -2033,7 +2033,8 @@ demangle_template_value_parm (struct wor else { int symbol_len = consume_count (mangled); - if (symbol_len == -1) + if (symbol_len == -1 + || symbol_len > (long) strlen (*mangled)) return -1; if (symbol_len == 0) string_appendn (s, "0", 1); @@ -3593,7 +3594,7 @@ do_type (struct work_stuff *work, const /* A back reference to a previously seen type */ case 'T': (*mangled)++; - if (!get_count (mangled, &n) || n >= work -> ntypes) + if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes) { success = 0; } @@ -3768,7 +3769,7 @@ do_type (struct work_stuff *work, const /* A back reference to a previously seen squangled type */ case 'B': (*mangled)++; - if (!get_count (mangled, &n) || n >= work -> numb) + if (!get_count (mangled, &n) || n < 0 || n >= work -> numb) success = 0; else string_append (result, work->btypevec[n]); @@ -4109,7 +4110,8 @@ do_hpacc_template_literal (struct work_s literal_len = consume_count (mangled); - if (literal_len <= 0) + if (literal_len <= 0 + || literal_len > (long) strlen (*mangled)) return 0; /* Literal parameters are names of arrays, functions, etc. and the Index: libiberty-20131116/libiberty/testsuite/demangle-expected =================================================================== --- libiberty-20131116.orig/libiberty/testsuite/demangle-expected 2017-06-07 08:56:15.093769211 -0400 +++ libiberty-20131116/libiberty/testsuite/demangle-expected 2017-06-07 08:56:15.085765144 -0400 @@ -4317,3 +4317,16 @@ __vt_90000000000cafebabe _Z80800000000000000000000 _Z80800000000000000000000 +# +# Tests write access violation PR70926 + +0__Ot2m02R5T0000500000 +0__Ot2m02R5T0000500000 +# + +0__GT50000000000_ +0__GT50000000000_ +# + +__t2m05B500000000000000000_ +__t2m05B500000000000000000_ debian/patches/series0000664000000000000000000000033413117542363012041 0ustar CVE-2016-2226.patch CVE-2016-4487_4488.patch CVE-2016-4489.patch CVE-2016-4490.patch CVE-2016-4492_4493.patch CVE-2016-6131.patch CVE-2016-4491-pre.patch CVE-2016-4491-1.patch CVE-2016-4491-2.patch CVE-2016-4491-3.patch debian/patches/CVE-2016-4487_4488.patch0000664000000000000000000001476713115773536013770 0ustar Backport of: From be3004dc350a820a5b0320b34bd05673ba534058 Mon Sep 17 00:00:00 2001 From: law Date: Thu, 31 Mar 2016 17:20:53 +0000 Subject: [PATCH] * cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing btypevec/ktypevec. * testsuite/demangle-expected: Add coverage tests. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234645 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 7 +++++++ libiberty/cplus-dem.c | 2 ++ libiberty/testsuite/demangle-expected | 10 ++++++++++ 3 files changed, 19 insertions(+) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index d11f4ce..b4054bd 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,3 +1,10 @@ #+2016-03-31 Mikhail Maltsev #+ Marcel Bohme boehme.marcel@gmail.com #+ #+ * cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing #+ btypevec/ktypevec. #+ * testsuite/demangle-expected: Add coverage tests. #+ # 2016-01-27 Iain Buclaw # # * d-demangle.c (dlang_call_convention): Handle extern Objective-C Index: libiberty-20131116/libiberty/cplus-dem.c =================================================================== --- libiberty-20131116.orig/libiberty/cplus-dem.c 2017-06-07 08:52:15.732553365 -0400 +++ libiberty-20131116/libiberty/cplus-dem.c 2017-06-07 08:53:07.941164603 -0400 @@ -1225,10 +1225,14 @@ squangle_mop_up (struct work_stuff *work if (work -> btypevec != NULL) { free ((char *) work -> btypevec); + work->btypevec = NULL; + work->bsize = 0; } if (work -> ktypevec != NULL) { free ((char *) work -> ktypevec); + work->ktypevec = NULL; + work->ksize = 0; } } Index: libiberty-20131116/libiberty/testsuite/demangle-expected =================================================================== --- libiberty-20131116.orig/libiberty/testsuite/demangle-expected 2017-06-07 08:52:15.732553365 -0400 +++ libiberty-20131116/libiberty/testsuite/demangle-expected 2017-06-07 08:53:26.557425411 -0400 @@ -4297,3 +4297,13 @@ void f() --format=gnu-v3 _ZSt7forwardIRN1x14refobjiteratorINS0_3refINS0_4mime30multipart_section_processorObjIZ15get_body_parserIZZN14mime_processor21make_section_iteratorERKNS2_INS3_10sectionObjENS0_10ptrrefBaseEEEbENKUlvE_clEvEUlSB_bE_ZZNS6_21make_section_iteratorESB_bENKSC_clEvEUlSB_E0_ENS1_INS2_INS0_20outputrefiteratorObjIiEES8_EEEERKSsSB_OT_OT0_EUlmE_NS3_32make_multipart_default_discarderISP_EEEES8_EEEEEOT_RNSt16remove_referenceISW_E4typeE x::refobjiterator, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> >, x::ptrrefBase> >& std::forward, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> >, x::ptrrefBase> >&>(std::remove_reference, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> > >::type&) +# +# Tests a use-after-free problem + +_Q.__0 +::Q.(void) +# +# Tests a use-after-free problem + +_Q10-__9cafebabe. +cafebabe.::-(void) debian/patches/CVE-2016-6131.patch0000664000000000000000000001717613115773771013263 0ustar From ebcc31144416b524ea556708c32304c53b439724 Mon Sep 17 00:00:00 2001 From: law Date: Thu, 4 Aug 2016 16:53:18 +0000 Subject: [PATCH] =?utf8?q?2016-08-04=20=20Marcel=20B=C3=B6hme=20=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit PR c++/71696 * cplus-dem.c: Prevent infinite recursion when there is a cycle in the referencing of remembered mangled types. (work_stuff): New stack to keep track of the remembered mangled types that are currently being processed. (push_processed_type): New method to push currently processed remembered type onto the stack. (pop_processed_type): New method to pop currently processed remembered type from the stack. (work_stuff_copy_to_from): Copy values of new variables. (delete_non_B_K_work_stuff): Free stack memory. (demangle_args): Push/Pop currently processed remembered type. (do_type): Do not demangle a cyclic reference and push/pop referenced remembered type. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@239143 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 19 ++++++++- libiberty/cplus-dem.c | 80 ++++++++++++++++++++++++++++++++--- libiberty/testsuite/demangle-expected | 5 +++ 3 files changed, 97 insertions(+), 7 deletions(-) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index a2e49a1..e7ff8c3 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,3 +1,20 @@ #+2016-08-04 Marcel Böhme #+ #+ PR c++/71696 #+ * cplus-dem.c: Prevent infinite recursion when there is a cycle #+ in the referencing of remembered mangled types. #+ (work_stuff): New stack to keep track of the remembered mangled #+ types that are currently being processed. #+ (push_processed_type): New method to push currently processed #+ remembered type onto the stack. #+ (pop_processed_type): New method to pop currently processed #+ remembered type from the stack. #+ (work_stuff_copy_to_from): Copy values of new variables. #+ (delete_non_B_K_work_stuff): Free stack memory. #+ (demangle_args): Push/Pop currently processed remembered type. #+ (do_type): Do not demangle a cyclic reference and push/pop #+ referenced remembered type. #+ # 2016-07-29 Aldy Hernandez # # * make-relative-prefix.c (make_relative_prefix_1): Fall back to #@@ -16,7 +33,7 @@ # (d_template_args_1): Split out from d_template_args. # (d_args_length): New. # #-2016-07-13 Marcel BÃhme #+2016-07-13 Marcel Böhme # # PR c++/70926 # * cplus-dem.c: Handle large values and overflow when demangling Index: libiberty-20131116/libiberty/cplus-dem.c =================================================================== --- libiberty-20131116.orig/libiberty/cplus-dem.c 2017-06-07 08:56:23.651420049 -0400 +++ libiberty-20131116/libiberty/cplus-dem.c 2017-06-07 08:56:23.631422317 -0400 @@ -144,6 +144,9 @@ struct work_stuff string* previous_argument; /* The last function argument demangled. */ int nrepeats; /* The number of times to repeat the previous argument. */ + int *proctypevec; /* Indices of currently processed remembered typevecs. */ + int proctypevec_size; + int nproctypes; }; #define PRINT_ANSI_QUALIFIERS (work -> options & DMGL_ANSI) @@ -429,6 +432,10 @@ iterate_demangle_function (struct work_s static void remember_type (struct work_stuff *, const char *, int); +static void push_processed_type (struct work_stuff *, int); + +static void pop_processed_type (struct work_stuff *); + static void remember_Btype (struct work_stuff *, const char *, int, int); static int register_Btype (struct work_stuff *); @@ -1283,6 +1290,10 @@ work_stuff_copy_to_from (struct work_stu memcpy (to->btypevec[i], from->btypevec[i], len); } + if (from->proctypevec) + to->proctypevec = + XDUPVEC (int, from->proctypevec, from->proctypevec_size); + if (from->ntmpl_args) to->tmpl_argvec = XNEWVEC (char *, from->ntmpl_args); @@ -1311,11 +1322,17 @@ delete_non_B_K_work_stuff (struct work_s /* Discard the remembered types, if any. */ forget_types (work); - if (work -> typevec != NULL) + if (work->typevec != NULL) { - free ((char *) work -> typevec); - work -> typevec = NULL; - work -> typevec_size = 0; + free ((char *) work->typevec); + work->typevec = NULL; + work->typevec_size = 0; + } + if (work->proctypevec != NULL) + { + free (work->proctypevec); + work->proctypevec = NULL; + work->proctypevec_size = 0; } if (work->tmpl_argvec) { @@ -3535,6 +3552,8 @@ static int do_type (struct work_stuff *work, const char **mangled, string *result) { int n; + int i; + int is_proctypevec; int done; int success; string decl; @@ -3547,6 +3566,7 @@ do_type (struct work_stuff *work, const done = 0; success = 1; + is_proctypevec = 0; while (success && !done) { int member; @@ -3599,8 +3619,15 @@ do_type (struct work_stuff *work, const success = 0; } else - { - remembered_type = work -> typevec[n]; + for (i = 0; i < work->nproctypes; i++) + if (work -> proctypevec [i] == n) + success = 0; + + if (success) + { + is_proctypevec = 1; + push_processed_type (work, n); + remembered_type = work->typevec[n]; mangled = &remembered_type; } break; @@ -3820,6 +3847,9 @@ do_type (struct work_stuff *work, const string_delete (result); string_delete (&decl); + if (is_proctypevec) + pop_processed_type (work); + if (success) /* Assume an integral type, if we're not sure. */ return (int) ((tk == tk_none) ? tk_integral : tk); @@ -4233,6 +4263,41 @@ do_arg (struct work_stuff *work, const c } static void +push_processed_type (struct work_stuff *work, int typevec_index) +{ + if (work->nproctypes >= work->proctypevec_size) + { + if (!work->proctypevec_size) + { + work->proctypevec_size = 4; + work->proctypevec = XNEWVEC (int, work->proctypevec_size); + } + else + { + if (work->proctypevec_size < 16) + /* Double when small. */ + work->proctypevec_size *= 2; + else + { + /* Grow slower when large. */ + if (work->proctypevec_size > (INT_MAX / 3) * 2) + xmalloc_failed (INT_MAX); + work->proctypevec_size = (work->proctypevec_size * 3 / 2); + } + work->proctypevec + = XRESIZEVEC (int, work->proctypevec, work->proctypevec_size); + } + } + work->proctypevec [work->nproctypes++] = typevec_index; +} + +static void +pop_processed_type (struct work_stuff *work) +{ + work->nproctypes--; +} + +static void remember_type (struct work_stuff *work, const char *start, int len) { char *tem; @@ -4496,10 +4561,13 @@ demangle_args (struct work_stuff *work, { string_append (declp, ", "); } + push_processed_type (work, t); if (!do_arg (work, &tem, &arg)) { + pop_processed_type (work); return (0); } + pop_processed_type (work); if (PRINT_ARG_TYPES) { string_appends (declp, &arg); Index: libiberty-20131116/libiberty/testsuite/demangle-expected =================================================================== --- libiberty-20131116.orig/libiberty/testsuite/demangle-expected 2017-06-07 08:56:23.651420049 -0400 +++ libiberty-20131116/libiberty/testsuite/demangle-expected 2017-06-07 08:56:23.631422317 -0400 @@ -4330,3 +4330,8 @@ _Z80800000000000000000000 __t2m05B500000000000000000_ __t2m05B500000000000000000_ +# +# Tests stack overflow PR71696 + +__10%0__S4_0T0T0 +%0<>::%0(%0<>) debian/patches/CVE-2016-4491-pre.patch0000664000000000000000000004463313115775164014052 0ustar Backport of: From bb6c123500f8a6df2fdb5f91818ebdf7e67eaebe Mon Sep 17 00:00:00 2001 From: gary Date: Thu, 8 May 2014 09:13:44 +0000 Subject: [PATCH] libiberty/ 2014-05-08 Gary Benson * cp-demangle.c (struct d_component_stack): New structure. (struct d_print_info): New field component_stack. (d_print_init): Initialize the above. (d_print_comp_inner): Renamed from d_print_comp. Do not restore template stack if it would cause a loop. (d_print_comp): New function. * testsuite/demangle-expected: New test cases. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@210205 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 10 ++++++ libiberty/cp-demangle.c | 60 +++++++++++++++++++++++++++++++---- libiberty/testsuite/demangle-expected | 26 +++++++++++++++ 3 files changed, 90 insertions(+), 6 deletions(-) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index d9a208b..335a47d 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,3 +1,13 @@ #+2014-05-08 Gary Benson #+ #+ * cp-demangle.c (struct d_component_stack): New structure. #+ (struct d_print_info): New field component_stack. #+ (d_print_init): Initialize the above. #+ (d_print_comp_inner): Renamed from d_print_comp. #+ Do not restore template stack if it would cause a loop. #+ (d_print_comp): New function. #+ * testsuite/demangle-expected: New test cases. #+ # 2014-04-17 Jakub Jelinek # # PR sanitizer/56781 Index: libiberty-20131116/libiberty/cp-demangle.c =================================================================== --- libiberty-20131116.orig/libiberty/cp-demangle.c 2017-06-07 09:05:58.285998607 -0400 +++ libiberty-20131116/libiberty/cp-demangle.c 2017-06-07 09:05:58.285998607 -0400 @@ -282,6 +282,16 @@ struct d_growable_string int allocation_failure; }; +/* Stack of components, innermost first, used to avoid loops. */ + +struct d_component_stack +{ + /* This component. */ + const struct demangle_component *dc; + /* This component's parent. */ + const struct d_component_stack *parent; +}; + /* A demangle component and some scope captured when it was first traversed. */ @@ -321,6 +331,8 @@ struct d_print_info int pack_index; /* Number of d_print_flush calls so far. */ unsigned long int flush_count; + /* Stack of components, innermost first, used to avoid loops. */ + const struct d_component_stack *component_stack; /* Array of saved scopes for evaluating substitutions. */ struct d_saved_scope *saved_scopes; /* Number of saved scopes in the above array. */ @@ -3690,6 +3702,8 @@ d_print_init (struct d_print_info *dpi, dpi->demangle_failure = 0; + dpi->component_stack = NULL; + dpi->saved_scopes = NULL; dpi->num_saved_scopes = 0; } @@ -3997,8 +4011,8 @@ d_copy_templates (struct d_print_info *d /* Subroutine to handle components. */ static void -d_print_comp (struct d_print_info *dpi, int options, - const struct demangle_component *dc) +d_print_comp_inner (struct d_print_info *dpi, int options, + const struct demangle_component *dc) { /* Magic variable to let reference smashing skip over the next modifier without needing to modify *dc. */ @@ -4415,11 +4429,30 @@ d_print_comp (struct d_print_info *dpi, } else { + const struct d_component_stack *dcse; + int found_self_or_parent = 0; + /* This traversal is reentering SUB as a substition. - Restore the original templates temporarily. */ - saved_templates = dpi->templates; - dpi->templates = scope->templates; - need_template_restore = 1; + If we are not beneath SUB or DC in the tree then we + need to restore SUB's template stack temporarily. */ + for (dcse = dpi->component_stack; dcse != NULL; + dcse = dcse->parent) + { + if (dcse->dc == sub + || (dcse->dc == dc + && dcse != dpi->component_stack)) + { + found_self_or_parent = 1; + break; + } + } + + if (!found_self_or_parent) + { + saved_templates = dpi->templates; + dpi->templates = scope->templates; + need_template_restore = 1; + } } a = d_lookup_template_argument (dpi, sub); @@ -5058,6 +5091,21 @@ d_print_comp (struct d_print_info *dpi, } } +static void +d_print_comp (struct d_print_info *dpi, int options, + const struct demangle_component *dc) +{ + struct d_component_stack self; + + self.dc = dc; + self.parent = dpi->component_stack; + dpi->component_stack = &self; + + d_print_comp_inner (dpi, options, dc); + + dpi->component_stack = self.parent; +} + /* Print a Java dentifier. For Java we try to handle encoded extended Unicode characters. The C++ ABI doesn't mention Unicode encoding, so we don't it for C++. Characters are encoded as Index: libiberty-20131116/libiberty/testsuite/demangle-expected =================================================================== --- libiberty-20131116.orig/libiberty/testsuite/demangle-expected 2017-06-07 09:05:58.285998607 -0400 +++ libiberty-20131116/libiberty/testsuite/demangle-expected 2017-06-07 09:06:44.190419812 -0400 @@ -4294,6 +4294,7 @@ void n(void (A::* --format=gnu-v3 _ZL1fIiEvv void f() +# https://sourceware.org/bugzilla/show_bug.cgi?id=14963#c3 --format=gnu-v3 _ZSt7forwardIRN1x14refobjiteratorINS0_3refINS0_4mime30multipart_section_processorObjIZ15get_body_parserIZZN14mime_processor21make_section_iteratorERKNS2_INS3_10sectionObjENS0_10ptrrefBaseEEEbENKUlvE_clEvEUlSB_bE_ZZNS6_21make_section_iteratorESB_bENKSC_clEvEUlSB_E0_ENS1_INS2_INS0_20outputrefiteratorObjIiEES8_EEEERKSsSB_OT_OT0_EUlmE_NS3_32make_multipart_default_discarderISP_EEEES8_EEEEEOT_RNSt16remove_referenceISW_E4typeE x::refobjiterator, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> >, x::ptrrefBase> >& std::forward, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> >, x::ptrrefBase> >&>(std::remove_reference, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> > >::type&) @@ -4335,3 +4336,28 @@ __t2m05B500000000000000000_ __10%0__S4_0T0T0 %0<>::%0(%0<>) +# https://sourceware.org/bugzilla/show_bug.cgi?id=14963#c16 +--format=gnu-v3 +_ZN3mdr16in_cached_threadIRZNK4cudr6GPUSet17parallel_for_eachIZN5tns3d20shape_representation7compute7GPUImpl7executeERKNS_1AINS_7ptr_refIKjEELl3ELl3ENS_8c_strideILl1ELl0EEEEERKNS8_INS9_IjEELl4ELl1ESD_EEEUliRKNS1_7ContextERNS7_5StateEE_JSt6vectorISO_SaISO_EEEEEvOT_DpRT0_EUlSP_E_JSt17reference_wrapperISO_EEEENS_12ScopedFutureIDTclfp_spcl7forwardISW_Efp0_EEEEESV_DpOSW_ +mdr::ScopedFuture, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}, std::vector > >(tns3d::shape_representation::compute::GPUImpl::execute(mdr::A, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}&&, std::vector >&) const::{lambda(tns3d::shape_representation::compute::GPUImpl::State&)#1}&>)({parm#2}))...))> mdr::in_cached_thread, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}, std::vector > >(void cudr::GPUSet::parallel_for_each, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}, std::vector > >(tns3d::shape_representation::compute::GPUImpl::execute(mdr::A, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}&&, std::vector >&) const::{lambda(tns3d::shape_representation::compute::GPUImpl::State&)#1}&, std::vector >&) const::{lambda(tns3d::shape_representation::compute::GPUImpl::State&)#1}&, std::reference_wrapper >(void cudr::GPUSet::parallel_for_each, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}, std::vector > >(tns3d::shape_representation::compute::GPUImpl::execute(mdr::A, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}&&, std::vector >&) const::{lambda(tns3d::shape_representation::compute::GPUImpl::State&)#1}&, (void cudr::GPUSet::parallel_for_each, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}, std::vector > >(tns3d::shape_representation::compute::GPUImpl::execute(mdr::A, 3l, 3l, mdr::c_stride<1l, 0l> > const&, mdr::A, 4l, 1l, mdr::c_stride<1l, 0l> > const&)::{lambda(int, cudr::Context const&, tns3d::shape_representation::compute::GPUImpl::State&)#1}&&, std::vector >&) const::{lambda(tns3d::shape_representation::compute::GPUImpl::State&)#1}&&&)...) +# https://sourceware.org/bugzilla/show_bug.cgi?id=14963#c18 +--format=gnu-v3 +_ZNSt9_Any_data9_M_accessIPZN13ThreadManager10futureTaskISt5_BindIFSt7_Mem_fnIM6RunnerFvvEEPS5_EEEEvOT_EUlvE_EERSC_v +void ThreadManager::futureTask (Runner*)> >(std::_Bind (Runner*)>&&)::{lambda()#1}*& std::_Any_data::_M_access (Runner*)> >(void ThreadManager::futureTask (Runner*)> >(std::_Bind (Runner*)>&&)::{lambda()#1}*&&)::{lambda()#1}*>() +# https://sourceware.org/bugzilla/show_bug.cgi?id=14963#c24 +# aka https://sourceware.org/bugzilla/show_bug.cgi?id=16593 +--format=gnu-v3 +_ZNSt9_Any_data9_M_accessIPZN3sel8Selector6SetObjI3FooJPKcMS4_FviEEEEvRT_DpT0_EUlvE_EESA_v +void sel::Selector::SetObj(Foo&, char const*, void (Foo::*)(int))::{lambda()#1}*& std::_Any_data::_M_access(void sel::Selector::SetObj(Foo&, char const*, void (Foo::*)(int))::{lambda()#1}*&, char const*, void (Foo::*)(int))::{lambda()#1}*>() +# https://sourceware.org/bugzilla/show_bug.cgi?id=16752#c1 +--format=gnu-v3 +_ZNSt9_Any_data9_M_accessIPZN13ThreadManager7newTaskIRSt5_BindIFSt7_Mem_fnIM5DiaryFivEEPS5_EEIEEESt6futureINSt9result_ofIFT_DpT0_EE4typeEEOSF_DpOSG_EUlvE_EERSF_v +std::future (Diary*)>& ()>::type> ThreadManager::newTask (Diary*)>&>(std::_Bind (Diary*)>&)::{lambda()#1}*& std::_Any_data::_M_access (Diary*)>& ()>::type> ThreadManager::newTask (Diary*)>&>(std::future (Diary*)>& ()>::type> ThreadManager::newTask (Diary*)>&>(std::_Bind (Diary*)>&)::{lambda()#1}*&&)::{lambda()#1}*>() +# https://sourceware.org/bugzilla/show_bug.cgi?id=16752#c6 +--format=gnu-v3 +_ZNSt9_Any_data9_M_accessIPZN6cereal18polymorphic_detail15getInputBindingINS1_16JSONInputArchiveEEENS1_6detail15InputBindingMapIT_E11SerializersERS7_jEUlPvRSt10unique_ptrIvNS5_12EmptyDeleterIvEEEE0_EESA_v +cereal::detail::InputBindingMap::Serializers cereal::polymorphic_detail::getInputBinding(cereal::JSONInputArchive&, unsigned int)::{lambda(void*, std::unique_ptr >&)#2}*& std::_Any_data::_M_access::Serializers cereal::polymorphic_detail::getInputBinding(cereal::detail::InputBindingMap::Serializers cereal::polymorphic_detail::getInputBinding(cereal::JSONInputArchive&, unsigned int)::{lambda(void*, std::unique_ptr >&)#2}*&, unsigned int)::{lambda(void*, std::unique_ptr >&)#2}*>() +# https://sourceware.org/bugzilla/show_bug.cgi?id=16845#c2 +--format=gnu-v3 +_ZNSt9_Any_data9_M_accessIPZ4postISt8functionIFvvEEEvOT_EUlvE_EERS5_v +void post >(std::function&&)::{lambda()#1}*& std::_Any_data::_M_access >(void post >(std::function&&)::{lambda()#1}*&&)::{lambda()#1}*>() debian/patches/CVE-2016-4491-2.patch0000664000000000000000000000672613115775543013427 0ustar Backport of: From b4cd77b1236a743dd5d94bc210534856a12e6efe Mon Sep 17 00:00:00 2001 From: mark Date: Fri, 21 Apr 2017 09:02:03 +0000 Subject: [PATCH] libiberty: Limit demangler maximum d_print_comp recursion call depth. The fix for PR demangler/70909 and 67264 (endless demangler recursion) catches when a demangle_component is printed in a cycle. But that doesn't protect the call stack blowing up from non-cyclic nested types printed recursively through d_print_comp. This can happen by a (very) long mangled string that simply creates a very deep pointer or qualifier chain. Limit the recursive d_print_comp call depth for a d_print_info to 1K nested types. libiberty/ChangeLog: * cp-demangle.c (MAX_RECURSION_COUNT): New constant. (struct d_print_info): Add recursion field. (d_print_init): Initialize recursion. (d_print_comp): Check and update d_print_info recursion depth. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@247056 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 7 +++++++ libiberty/cp-demangle.c | 15 ++++++++++++--- 2 files changed, 19 insertions(+), 3 deletions(-) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index 673eb26..34e585e 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,5 +1,12 @@ # 2017-04-21 Mark Wielaard # #+ * cp-demangle.c (MAX_RECURSION_COUNT): New constant. #+ (struct d_print_info): Add recursion field. #+ (d_print_init): Initialize recursion. #+ (d_print_comp): Check and update d_print_info recursion depth. #+ #+2017-04-21 Mark Wielaard #+ # * cp-demangle.c (d_substitution): Return NULL if d_add_substitution # fails. # Index: libiberty-20131116/libiberty/cp-demangle.c =================================================================== --- libiberty-20131116.orig/libiberty/cp-demangle.c 2017-06-07 09:10:13.427936963 -0400 +++ libiberty-20131116/libiberty/cp-demangle.c 2017-06-07 09:10:42.716204315 -0400 @@ -304,6 +304,9 @@ struct d_saved_scope struct d_print_template *templates; }; +/* Maximum number of times d_print_comp may be called recursively. */ +#define MAX_RECURSION_COUNT 1024 + enum { D_PRINT_BUFFER_LENGTH = 256 }; struct d_print_info { @@ -326,6 +329,9 @@ struct d_print_info struct d_print_mod *modifiers; /* Set to 1 if we saw a demangling error. */ int demangle_failure; + /* Number of times d_print_comp was recursively called. Should not + be bigger than MAX_RECURSION_COUNT. */ + int recursion; /* The current index into any template argument packs we are using for printing. */ int pack_index; @@ -3702,6 +3708,7 @@ d_print_init (struct d_print_info *dpi, dpi->opaque = opaque; dpi->demangle_failure = 0; + dpi->recursion = 0; dpi->component_stack = NULL; @@ -5097,13 +5104,14 @@ d_print_comp (struct d_print_info *dpi, struct demangle_component *dc) { struct d_component_stack self; - if (dc == NULL || dc->d_printing > 1) + if (dc == NULL || dc->d_printing > 1 || dpi->recursion > MAX_RECURSION_COUNT) { d_print_error (dpi); return; } - else - dc->d_printing++; + + dc->d_printing++; + dpi->recursion++; self.dc = dc; self.parent = dpi->component_stack; @@ -5113,6 +5121,7 @@ d_print_comp (struct d_print_info *dpi, dpi->component_stack = self.parent; dc->d_printing--; + dpi->recursion--; } /* Print a Java dentifier. For Java we try to handle encoded extended debian/patches/CVE-2016-4491-1.patch0000664000000000000000000003051513115775453013417 0ustar Backport of: From a664c62cf916d036dba3d25973e5bb92c523536e Mon Sep 17 00:00:00 2001 From: trippels Date: Wed, 8 Mar 2017 14:28:38 +0000 Subject: [PATCH] Fix PR demangler/70909 and 67264 (endless demangler recursion) ChangeLog: PR demangler/70909 PR demangler/67264 * include/demangle.h: Add d_printing to struct demangle_component and pass struct demangle_component as non const. libiberty/ChangeLog: PR demangler/70909 PR demangler/67264 * cp-demangle.c: Fix endless recursion. Pass struct demangle_component as non const. (d_make_empty): Initialize variable. (d_print_comp_inner): Limit recursion. (d_print_comp): Decrement variable. * cp-demint.c (cplus_demangle_fill_component): Initialize variable. (cplus_demangle_fill_builtin_type): Likewise. (cplus_demangle_fill_operator): Likewise. * testsuite/demangle-expected: Add tests. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@245978 138bc75d-0d04-0410-961f-82ee72b054a4 --- ChangeLog | 7 +++++ include/demangle.h | 9 ++++-- libiberty/ChangeLog | 15 +++++++++ libiberty/cp-demangle.c | 59 ++++++++++++++++++++--------------- libiberty/cp-demint.c | 3 ++ libiberty/testsuite/demangle-expected | 31 ++++++++++++++++++ 6 files changed, 97 insertions(+), 27 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index bdca057..27168c8 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,10 @@ #+2017-03-08 Mark Wielaard #+ #+ PR demangler/70909 #+ PR demangler/67264 #+ * include/demangle.h: Add d_printing to struct demangle_component #+ and pass struct demangle_component as non const. #+ # 2017-02-26 Gerald Pfeifer # # * MAINTAINERS: Remove Neil Booth as option handling maintainer. Index: libiberty-20131116/include/demangle.h =================================================================== --- libiberty-20131116.orig/include/demangle.h 2017-06-07 09:07:13.218683529 -0400 +++ libiberty-20131116/include/demangle.h 2017-06-07 09:07:13.210683456 -0400 @@ -447,6 +447,11 @@ struct demangle_component /* The type of this component. */ enum demangle_component_type type; + /* Guard against recursive component printing. + Initialize to zero. Private to d_print_comp. + All other fields are final after initialization. */ + int d_printing; + union { /* For DEMANGLE_COMPONENT_NAME. */ @@ -641,7 +646,7 @@ cplus_demangle_v3_components (const char extern char * cplus_demangle_print (int options, - const struct demangle_component *tree, + struct demangle_component *tree, int estimated_length, size_t *p_allocated_size); @@ -661,7 +666,7 @@ cplus_demangle_print (int options, extern int cplus_demangle_print_callback (int options, - const struct demangle_component *tree, + struct demangle_component *tree, demangle_callbackref callback, void *opaque); #ifdef __cplusplus Index: libiberty-20131116/libiberty/cp-demangle.c =================================================================== --- libiberty-20131116.orig/libiberty/cp-demangle.c 2017-06-07 09:07:13.218683529 -0400 +++ libiberty-20131116/libiberty/cp-demangle.c 2017-06-07 09:08:58.415217174 -0400 @@ -169,10 +169,10 @@ static struct demangle_component *d_mang static struct demangle_component *d_type (struct d_info *); #define cplus_demangle_print d_print -static char *d_print (int, const struct demangle_component *, int, size_t *); +static char *d_print (int, struct demangle_component *, int, size_t *); #define cplus_demangle_print_callback d_print_callback -static int d_print_callback (int, const struct demangle_component *, +static int d_print_callback (int, struct demangle_component *, demangle_callbackref, void *); #define cplus_demangle_init_info d_init_info @@ -261,7 +261,7 @@ struct d_print_mod in which they appeared in the mangled string. */ struct d_print_mod *next; /* The modifier. */ - const struct demangle_component *mod; + struct demangle_component *mod; /* Whether this modifier was printed. */ int printed; /* The list of templates which applies to this modifier. */ @@ -493,7 +493,7 @@ static inline void d_append_string (stru static inline char d_last_char (struct d_print_info *); static void -d_print_comp (struct d_print_info *, int, const struct demangle_component *); +d_print_comp (struct d_print_info *, int, struct demangle_component *); static void d_print_java_identifier (struct d_print_info *, const char *, int); @@ -502,23 +502,23 @@ static void d_print_mod_list (struct d_print_info *, int, struct d_print_mod *, int); static void -d_print_mod (struct d_print_info *, int, const struct demangle_component *); +d_print_mod (struct d_print_info *, int, struct demangle_component *); static void d_print_function_type (struct d_print_info *, int, - const struct demangle_component *, + struct demangle_component *, struct d_print_mod *); static void d_print_array_type (struct d_print_info *, int, - const struct demangle_component *, + struct demangle_component *, struct d_print_mod *); static void -d_print_expr_op (struct d_print_info *, int, const struct demangle_component *); +d_print_expr_op (struct d_print_info *, int, struct demangle_component *); static void -d_print_cast (struct d_print_info *, int, const struct demangle_component *); +d_print_cast (struct d_print_info *, int, struct demangle_component *); static int d_demangle_callback (const char *, int, demangle_callbackref, void *); @@ -844,6 +844,7 @@ d_make_empty (struct d_info *di) if (di->next_comp >= di->num_comps) return NULL; p = &di->comps[di->next_comp]; + p->d_printing = 0; ++di->next_comp; return p; } @@ -3807,7 +3808,7 @@ d_last_char (struct d_print_info *dpi) CP_STATIC_IF_GLIBCPP_V3 int cplus_demangle_print_callback (int options, - const struct demangle_component *dc, + struct demangle_component *dc, demangle_callbackref callback, void *opaque) { struct d_print_info dpi; @@ -3834,7 +3835,7 @@ cplus_demangle_print_callback (int optio CP_STATIC_IF_GLIBCPP_V3 char * -cplus_demangle_print (int options, const struct demangle_component *dc, +cplus_demangle_print (int options, struct demangle_component *dc, int estimate, size_t *palc) { struct d_growable_string dgs; @@ -3963,7 +3964,7 @@ d_pack_length (const struct demangle_com static void d_print_subexpr (struct d_print_info *dpi, int options, - const struct demangle_component *dc) + struct demangle_component *dc) { int simple = 0; if (dc->type == DEMANGLE_COMPONENT_NAME @@ -4012,11 +4013,11 @@ d_copy_templates (struct d_print_info *d static void d_print_comp_inner (struct d_print_info *dpi, int options, - const struct demangle_component *dc) + struct demangle_component *dc) { /* Magic variable to let reference smashing skip over the next modifier without needing to modify *dc. */ - const struct demangle_component *mod_inner = NULL; + struct demangle_component *mod_inner = NULL; /* Variable used to store the current templates while a previously captured scope is used. */ @@ -4390,7 +4391,7 @@ d_print_comp_inner (struct d_print_info case DEMANGLE_COMPONENT_RVALUE_REFERENCE: { /* Handle reference smashing: & + && = &. */ - const struct demangle_component *sub = d_left (dc); + struct demangle_component *sub = d_left (dc); if (sub->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM) { struct demangle_component *a; @@ -5093,9 +5094,16 @@ d_print_comp_inner (struct d_print_info static void d_print_comp (struct d_print_info *dpi, int options, - const struct demangle_component *dc) + struct demangle_component *dc) { struct d_component_stack self; + if (dc == NULL || dc->d_printing > 1) + { + d_print_error (dpi); + return; + } + else + dc->d_printing++; self.dc = dc; self.parent = dpi->component_stack; @@ -5104,6 +5112,7 @@ d_print_comp (struct d_print_info *dpi, d_print_comp_inner (dpi, options, dc); dpi->component_stack = self.parent; + dc->d_printing--; } /* Print a Java dentifier. For Java we try to handle encoded extended @@ -5254,7 +5263,7 @@ d_print_mod_list (struct d_print_info *d static void d_print_mod (struct d_print_info *dpi, int options, - const struct demangle_component *mod) + struct demangle_component *mod) { switch (mod->type) { @@ -5323,7 +5332,7 @@ d_print_mod (struct d_print_info *dpi, i static void d_print_function_type (struct d_print_info *dpi, int options, - const struct demangle_component *dc, + struct demangle_component *dc, struct d_print_mod *mods) { int need_paren; @@ -5405,7 +5414,7 @@ d_print_function_type (struct d_print_in static void d_print_array_type (struct d_print_info *dpi, int options, - const struct demangle_component *dc, + struct demangle_component *dc, struct d_print_mod *mods) { int need_space; @@ -5459,7 +5468,7 @@ d_print_array_type (struct d_print_info static void d_print_expr_op (struct d_print_info *dpi, int options, - const struct demangle_component *dc) + struct demangle_component *dc) { if (dc->type == DEMANGLE_COMPONENT_OPERATOR) d_append_buffer (dpi, dc->u.s_operator.op->name, @@ -5472,7 +5481,7 @@ d_print_expr_op (struct d_print_info *dp static void d_print_cast (struct d_print_info *dpi, int options, - const struct demangle_component *dc) + struct demangle_component *dc) { if (d_left (dc)->type != DEMANGLE_COMPONENT_TEMPLATE) d_print_comp (dpi, options, d_left (dc)); Index: libiberty-20131116/libiberty/cp-demint.c =================================================================== --- libiberty-20131116.orig/libiberty/cp-demint.c 2017-06-07 09:07:13.218683529 -0400 +++ libiberty-20131116/libiberty/cp-demint.c 2017-06-07 09:07:13.214683492 -0400 @@ -122,6 +122,7 @@ cplus_demangle_fill_component (struct de p->type = type; p->u.s_binary.left = left; p->u.s_binary.right = right; + p->d_printing = 0; return 1; } @@ -145,6 +146,7 @@ cplus_demangle_fill_builtin_type (struct { p->type = DEMANGLE_COMPONENT_BUILTIN_TYPE; p->u.s_builtin.type = &cplus_demangle_builtin_types[i]; + p->d_printing = 0; return 1; } } @@ -171,6 +173,7 @@ cplus_demangle_fill_operator (struct dem { p->type = DEMANGLE_COMPONENT_OPERATOR; p->u.s_operator.op = &cplus_demangle_operators[i]; + p->d_printing = 0; return 1; } } Index: libiberty-20131116/libiberty/testsuite/demangle-expected =================================================================== --- libiberty-20131116.orig/libiberty/testsuite/demangle-expected 2017-06-07 09:07:13.218683529 -0400 +++ libiberty-20131116/libiberty/testsuite/demangle-expected 2017-06-07 09:09:33.843562880 -0400 @@ -4361,3 +4361,34 @@ cereal::detail::InputBindingMap >(std::function&&)::{lambda()#1}*& std::_Any_data::_M_access >(void post >(std::function&&)::{lambda()#1}*&&)::{lambda()#1}*>() + +# +# Test recursion PR67264 +_Z1KIStcvT_E +_Z1KIStcvT_E + +_ZcvT_IIS0_EE +_ZcvT_IIS0_EE + +_ZcvT_IZcvT_E1fE +_ZcvT_IZcvT_E1fE + +_Z1gINcvT_EE +_Z1gINcvT_EE + +_ZcvT_ILZcvDTT_EEE +_ZcvT_ILZcvDTT_EEE + +_Z1gIJOOT_EEOT_c +_Z1gIJOOT_EEOT_c + +_Z1KMMMMMMMMMMMMMMMA_xooooooooooooooo +_Z1KMMMMMMMMMMMMMMMA_xooooooooooooooo + +_ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd +_ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd +# +# Test for Infinite Recursion PR70909 + +_Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo +_Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo debian/patches/CVE-2016-4490.patch0000664000000000000000000002727513115773720013264 0ustar Backport of: From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001 From: bernds Date: Mon, 2 May 2016 17:06:40 +0000 Subject: [PATCH] =?utf8?q?Demangler=20integer=20overflow=20fixes=20from=20?= =?utf8?q?Marcel=20B=C3=B6hme.?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit PR c++/70498 * cp-demangle.c: Parse numbers as integer instead of long to avoid overflow after sanity checks. Include if available. (INT_MAX): Define if necessary. (d_make_template_param): Takes integer argument instead of long. (d_make_function_param): Likewise. (d_append_num): Likewise. (d_identifier): Likewise. (d_number): Parse as and return integer. (d_compact_number): Handle overflow. (d_source_name): Change variable type to integer for parsed number. (d_java_resource): Likewise. (d_special_name): Likewise. (d_discriminator): Likewise. (d_unnamed_type): Likewise. * testsuite/demangle-expected: Add regression test cases. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4 --- libiberty/ChangeLog | 19 +++++++++++++ libiberty/cp-demangle.c | 52 ++++++++++++++++++++--------------- libiberty/testsuite/demangle-expected | 14 ++++++++-- 3 files changed, 61 insertions(+), 24 deletions(-) #diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog #index 7497392..1407cd3 100644 #--- a/libiberty/ChangeLog #+++ b/libiberty/ChangeLog #@@ -1,3 +1,22 @@ #+2016-05-02 Marcel Böhme #+ #+ PR c++/70498 #+ * cp-demangle.c: Parse numbers as integer instead of long to avoid #+ overflow after sanity checks. Include if available. #+ (INT_MAX): Define if necessary. #+ (d_make_template_param): Takes integer argument instead of long. #+ (d_make_function_param): Likewise. #+ (d_append_num): Likewise. #+ (d_identifier): Likewise. #+ (d_number): Parse as and return integer. #+ (d_compact_number): Handle overflow. #+ (d_source_name): Change variable type to integer for parsed number. #+ (d_java_resource): Likewise. #+ (d_special_name): Likewise. #+ (d_discriminator): Likewise. #+ (d_unnamed_type): Likewise. #+ * testsuite/demangle-expected: Add regression test cases. #+ # 2016-04-30 Oleg Endo # # * configure: Remove SH5 support. Index: libiberty-20131116/libiberty/cp-demangle.c =================================================================== --- libiberty-20131116.orig/libiberty/cp-demangle.c 2017-06-07 08:54:18.007294009 -0400 +++ libiberty-20131116/libiberty/cp-demangle.c 2017-06-07 08:54:51.489677397 -0400 @@ -124,6 +124,13 @@ extern char *alloca (); # endif /* alloca */ #endif /* HAVE_ALLOCA_H */ +#ifdef HAVE_LIMITS_H +#include +#endif +#ifndef INT_MAX +# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ +#endif + #include "ansidecl.h" #include "libiberty.h" #include "demangle.h" @@ -359,7 +366,7 @@ d_make_dtor (struct d_info *, enum gnu_v struct demangle_component *); static struct demangle_component * -d_make_template_param (struct d_info *, long); +d_make_template_param (struct d_info *, int); static struct demangle_component * d_make_sub (struct d_info *, const char *, int); @@ -382,7 +389,7 @@ static struct demangle_component *d_unqu static struct demangle_component *d_source_name (struct d_info *); -static long d_number (struct d_info *); +static int d_number (struct d_info *); static struct demangle_component *d_identifier (struct d_info *, int); @@ -1057,7 +1064,7 @@ d_make_dtor (struct d_info *di, enum gnu /* Add a new template parameter. */ static struct demangle_component * -d_make_template_param (struct d_info *di, long i) +d_make_template_param (struct d_info *di, int i) { struct demangle_component *p; @@ -1073,7 +1080,7 @@ d_make_template_param (struct d_info *di /* Add a new function parameter. */ static struct demangle_component * -d_make_function_param (struct d_info *di, long i) +d_make_function_param (struct d_info *di, int i) { struct demangle_component *p; @@ -1547,7 +1554,7 @@ d_unqualified_name (struct d_info *di) static struct demangle_component * d_source_name (struct d_info *di) { - long len; + int len; struct demangle_component *ret; len = d_number (di); @@ -1560,12 +1567,12 @@ d_source_name (struct d_info *di) /* number ::= [n] <(non-negative decimal integer)> */ -static long +static int d_number (struct d_info *di) { int negative; char peek; - long ret; + int ret; negative = 0; peek = d_peek_char (di); @@ -1785,7 +1792,7 @@ d_java_resource (struct d_info *di) { struct demangle_component *p = NULL; struct demangle_component *next = NULL; - long len, i; + int len, i; char c; const char *str; @@ -1927,7 +1934,7 @@ d_special_name (struct d_info *di) case 'C': { struct demangle_component *derived_type; - long offset; + int offset; struct demangle_component *base_type; derived_type = cplus_demangle_type (di); @@ -2795,10 +2802,10 @@ d_pointer_to_member_type (struct d_info /* _ */ -static long +static int d_compact_number (struct d_info *di) { - long num; + int num; if (d_peek_char (di) == '_') num = 0; else if (d_peek_char (di) == 'n') @@ -2806,7 +2813,7 @@ d_compact_number (struct d_info *di) else num = d_number (di) + 1; - if (! d_check_char (di, '_')) + if (num < 0 || ! d_check_char (di, '_')) return -1; return num; } @@ -2818,7 +2825,7 @@ d_compact_number (struct d_info *di) static struct demangle_component * d_template_param (struct d_info *di) { - long param; + int param; if (! d_check_char (di, 'T')) return NULL; @@ -3020,9 +3027,10 @@ d_expression (struct d_info *di) } else { - index = d_compact_number (di) + 1; - if (index == 0) + index = d_compact_number (di); + if (index == INT_MAX || index == -1) return NULL; + index ++; } return d_make_function_param (di, index); } @@ -3333,7 +3341,7 @@ d_local_name (struct d_info *di) static int d_discriminator (struct d_info *di) { - long discrim; + int discrim; if (d_peek_char (di) != '_') return 1; @@ -3389,7 +3397,7 @@ static struct demangle_component * d_unnamed_type (struct d_info *di) { struct demangle_component *ret; - long num; + int num; if (! d_check_char (di, 'U')) return NULL; @@ -3760,10 +3768,10 @@ d_append_string (struct d_print_info *dp } static inline void -d_append_num (struct d_print_info *dpi, long l) +d_append_num (struct d_print_info *dpi, int l) { char buf[25]; - sprintf (buf,"%ld", l); + sprintf (buf,"%d", l); d_append_string (dpi, buf); } Index: libiberty-20131116/libiberty/testsuite/demangle-expected =================================================================== --- libiberty-20131116.orig/libiberty/testsuite/demangle-expected 2017-06-07 08:54:18.007294009 -0400 +++ libiberty-20131116/libiberty/testsuite/demangle-expected 2017-06-07 08:54:18.003293963 -0400 @@ -4298,12 +4298,22 @@ void f() _ZSt7forwardIRN1x14refobjiteratorINS0_3refINS0_4mime30multipart_section_processorObjIZ15get_body_parserIZZN14mime_processor21make_section_iteratorERKNS2_INS3_10sectionObjENS0_10ptrrefBaseEEEbENKUlvE_clEvEUlSB_bE_ZZNS6_21make_section_iteratorESB_bENKSC_clEvEUlSB_E0_ENS1_INS2_INS0_20outputrefiteratorObjIiEES8_EEEERKSsSB_OT_OT0_EUlmE_NS3_32make_multipart_default_discarderISP_EEEES8_EEEEEOT_RNSt16remove_referenceISW_E4typeE x::refobjiterator, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> >, x::ptrrefBase> >& std::forward, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> >, x::ptrrefBase> >&>(std::remove_reference, x::ptrrefBase> > get_body_parser const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}>(std::string const&, x::ref const&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&, mime_processor::make_section_iterator(x::ref const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&)#2}&&)::{lambda(unsigned long)#1}, x::mime::make_multipart_default_discarder const&, bool)::{lambda()#1}::operator()() const::{lambda(x::ref const&, bool)#1}&&> > >::type&) # -# Tests a use-after-free problem +# Tests a use-after-free problem PR70481 _Q.__0 ::Q.(void) # -# Tests a use-after-free problem +# Tests a use-after-free problem PR70481 _Q10-__9cafebabe. cafebabe.::-(void) +# +# Tests integer overflow problem PR70492 + +__vt_90000000000cafebabe +__vt_90000000000cafebabe +# +# Tests write access violation PR70498 + +_Z80800000000000000000000 +_Z80800000000000000000000 debian/copyright0000664000000000000000000001075412241755702011137 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: libiberty Source: http://gcc.gnu.org/ Files: config/* include/* Copyright: Copyright (C) 1990-2013 Free Software Foundation License: GPL-3+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Files: include/dwarf2.h Copyright: Copyright (C) 1990-2013 Free Software Foundation License: GPL-3+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . Under Section 7 of GPL version 3, you are granted additional permissions described in the GCC Runtime Library Exception, version 3.1, as published by the Free Software Foundation. Files: libiberty/* include/demangle.h include/leb128.h include/safe-ctype.h include/timeval-utils.h include/xregex2.h Copyright: Copyright (C) 1990-2013 Free Software Foundation License: LGPL-2.1+ Libiberty is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . Libiberty is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. Files: libiberty/libiberty.texi Copyright: Copyright (C) 2001-2010 Free Software Foundation License: GFDL Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled ``GNU Free Documentation License''. Files: include/vtv-change-permission.h Copyright: Copyright (C) 2013 Free Software Foundation License: LGPL-2+ This file is part of GCC. . modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. . In addition to the permissions in the GNU Library General Public License, the Free Software Foundation gives you unlimited permission to link the compiled version of this file into combinations with other programs, and to distribute those combinations without any restriction coming from the use of this file. (The Library Public License restrictions do apply in other respects; for example, they cover modification of the file, and distribution when not linked into a combined executable.) . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. Files: debian/* Copyright: 2013 Matthias Klose License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". debian/rules0000775000000000000000000000401012241754677010262 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 DEB_BUILD_MULTIARCH ?= $(shell dpkg-architecture -qDEB_BUILD_MULTIARCH) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS) CFLAGS := -fPIC $(shell dpkg-buildflags --get CFLAGS) LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS) COMMA = , ifneq (,$(filter parallel=%,$(subst $(COMMA), ,$(DEB_BUILD_OPTIONS)))) NJOBS := -j $(subst parallel=,,$(filter parallel=%,$(subst $(COMMA), ,$(DEB_BUILD_OPTIONS)))) endif confargs = \ --prefix=/usr \ --disable-multilib \ --enable-install-libiberty ifneq ($(DEB_BUILD_MULTIARCH),$(DEB_HOST_MULTIARCH)) confargs += \ --build=$(DEB_BUILD_MULTIARCH) \ --host=$(DEB_HOST_MULTIARCH) endif configure: configure-stamp configure-stamp: dh_testdir rm -rf build mkdir -p build cd build && ../libiberty/configure \ $(confargs) \ CPPFLAGS="$(CPPFLAGS)" \ CFLAGS="$(CFLAGS)" \ LDFLAGS="$(LDFLAGS)" touch configure-stamp build-arch: build-stamp build-indep: build: build-stamp build-stamp: configure-stamp dh_testdir $(MAKE) $(NJOBS) -C build touch $@ clean: dh_testdir dh_testroot rm -f build-stamp configure-stamp rm -rf build dh_clean install: build dh_testdir dh_testroot dh_prep dh_installdirs \ /usr/include/libiberty \ /usr/lib/$(DEB_HOST_MULTIARCH) $(MAKE) -C build install \ DESTDIR=$(CURDIR)/debian/libiberty-dev \ target_header_dir=/usr/include/libiberty mv debian/libiberty-dev/usr/lib/*.a \ debian/libiberty-dev/usr/lib/$(DEB_HOST_MULTIARCH)/. # Build architecture-independent files here. binary-indep: install # We have nothing to do by default. # Build architecture-dependent files here. binary-arch: install dh_testdir dh_testroot dh_installchangelogs dh_installdocs dh_strip dh_compress dh_fixperms dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install configure