Fix memory allocation size overflows (PR69687, patch by Marcel Böhme)

PR c++/69687 * cplus-dem.c: Include <limits.h> if available. (INT_MAX): Define if necessary. (remember_type, remember_Ktype, register_Btype, string_need): Abort if we detect cases where we the size of the allocation would overflow. From-SVN: r234829
2016-04-08 12:10:21 +00:00 · 2016-04-08 12:10:21 +00:00 · bdf66f7734
parent 59dad006fa
commit bdf66f7734
2 changed files with 22 additions and 0 deletions
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@ -1,5 +1,12 @@
 2016-04-08  Marcel Böhme  <boehme.marcel@gmail.com>

+	PR c++/69687
+	* cplus-dem.c: Include <limits.h> if available.
+	(INT_MAX): Define if necessary.
+	(remember_type, remember_Ktype, register_Btype, string_need):
+	Abort if we detect cases where we the size of the allocation would
+	overflow.
+
 	PR c++/70498
 	* cplus-dem.c (gnu_special): Handle case where consume_count returns
 	-1.
--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
@ -56,6 +56,13 @@ void * malloc ();
 void * realloc ();
 #endif

+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+#ifndef INT_MAX
+# define INT_MAX       (int)(((unsigned int) ~0) >> 1)          /* 0x7FFFFFFF */ 
+#endif
+
 #include <demangle.h>
 #undef CURRENT_DEMANGLING_STYLE
 #define CURRENT_DEMANGLING_STYLE work->options
@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
 	}
      else
 	{
+          if (work -> typevec_size > INT_MAX / 2)
+	    xmalloc_failed (INT_MAX);
 	  work -> typevec_size *= 2;
 	  work -> typevec
 	    = XRESIZEVEC (char *, work->typevec, work->typevec_size);
@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
 	}
      else
 	{
+          if (work -> ksize > INT_MAX / 2)
+	    xmalloc_failed (INT_MAX);
 	  work -> ksize *= 2;
 	  work -> ktypevec
 	    = XRESIZEVEC (char *, work->ktypevec, work->ksize);
@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
 	}
      else
 	{
+          if (work -> bsize > INT_MAX / 2)
+	    xmalloc_failed (INT_MAX);
 	  work -> bsize *= 2;
 	  work -> btypevec
 	    = XRESIZEVEC (char *, work->btypevec, work->bsize);
@ -4771,6 +4784,8 @@ string_need (string *s, int n)
  else if (s->e - s->p < n)
    {
      tem = s->p - s->b;
+      if (n > INT_MAX / 2 - tem)
+        xmalloc_failed (INT_MAX); 
      n += tem;
      n *= 2;
      s->b = XRESIZEVEC (char, s->b, n);