1 |
--- a/libiberty/cplus-dem.c |
2 |
+++ b/libiberty/cplus-dem.c |
3 |
@@ -2033,7 +2033,8 @@ |
4 |
else |
5 |
{ |
6 |
int symbol_len = consume_count (mangled); |
7 |
- if (symbol_len == -1) |
8 |
+ if (symbol_len == -1 |
9 |
+ || symbol_len > (long) strlen (*mangled)) |
10 |
return -1; |
11 |
if (symbol_len == 0) |
12 |
string_appendn (s, "0", 1); |
13 |
@@ -3593,7 +3594,7 @@ |
14 |
/* A back reference to a previously seen type */ |
15 |
case 'T': |
16 |
(*mangled)++; |
17 |
- if (!get_count (mangled, &n) || n >= work -> ntypes) |
18 |
+ if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes) |
19 |
{ |
20 |
success = 0; |
21 |
} |
22 |
@@ -3768,7 +3769,7 @@ |
23 |
/* A back reference to a previously seen squangled type */ |
24 |
case 'B': |
25 |
(*mangled)++; |
26 |
- if (!get_count (mangled, &n) || n >= work -> numb) |
27 |
+ if (!get_count (mangled, &n) || n < 0 || n >= work -> numb) |
28 |
success = 0; |
29 |
else |
30 |
string_append (result, work->btypevec[n]); |
31 |
@@ -4109,7 +4110,8 @@ |
32 |
|
33 |
literal_len = consume_count (mangled); |
34 |
|
35 |
- if (literal_len <= 0) |
36 |
+ if (literal_len <= 0 |
37 |
+ || literal_len > (long) strlen (*mangled)) |
38 |
return 0; |
39 |
|
40 |
/* Literal parameters are names of arrays, functions, etc. and the |
41 |
--- a/libiberty/testsuite/demangle-expected |
42 |
+++ b/libiberty/testsuite/demangle-expected |
43 |
@@ -4161,3 +4161,16 @@ |
44 |
|
45 |
_Z80800000000000000000000 |
46 |
_Z80800000000000000000000 |
47 |
+# |
48 |
+# Tests write access violation PR70926 |
49 |
+ |
50 |
+0__Ot2m02R5T0000500000 |
51 |
+0__Ot2m02R5T0000500000 |
52 |
+# |
53 |
+ |
54 |
+0__GT50000000000_ |
55 |
+0__GT50000000000_ |
56 |
+# |
57 |
+ |
58 |
+__t2m05B500000000000000000_ |
59 |
+__t2m05B500000000000000000_ |