[llvm] r358856 - llvm-undname: Fix stack overflow on almost-valid

[Nico Weber via llvm-commits]

Author: nico
Date: Sun Apr 21 09:58:25 2019
New Revision: 358856

URL: http://llvm.org/viewvc/llvm-project?rev=358856&view=rev
Log:
llvm-undname: Fix stack overflow on almost-valid

If a unsigned with all 4 bytes non-0 was passed to outputHex(), there
were two off-by-ones in it:

- Both MaxPos and Pos left space for the final \0, which left the buffer
  one byte to small. Set MaxPos to 16 instead of 15 to fix.

- The `assert(Pos >= 0);` was after a `Pos--`, move it up one line.

Since valid Unicode codepoints are <= 0x10ffff, this could never really
happen in practice.

Found by oss-fuzz.

Modified:
    llvm/trunk/lib/Demangle/MicrosoftDemangle.cpp
    llvm/trunk/test/Demangle/ms-string-literals.test

Modified: llvm/trunk/lib/Demangle/MicrosoftDemangle.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Demangle/MicrosoftDemangle.cpp?rev=358856&r1=358855&r2=358856&view=diff
==============================================================================
--- llvm/trunk/lib/Demangle/MicrosoftDemangle.cpp (original)
+++ llvm/trunk/lib/Demangle/MicrosoftDemangle.cpp Sun Apr 21 09:58:25 2019
@@ -1071,17 +1071,17 @@ static void outputHex(OutputStream &OS,
   char TempBuffer[17];
 
   ::memset(TempBuffer, 0, sizeof(TempBuffer));
-  constexpr int MaxPos = 15;
+  constexpr int MaxPos = sizeof(TempBuffer) - 1;
 
-  int Pos = MaxPos - 1;
+  int Pos = MaxPos - 1; // TempBuffer[MaxPos] is the terminating \0.
   while (C != 0) {
     for (int I = 0; I < 2; ++I) {
       writeHexDigit(&TempBuffer[Pos--], C % 16);
       C /= 16;
     }
     TempBuffer[Pos--] = 'x';
-    TempBuffer[Pos--] = '\\';
     assert(Pos >= 0);
+    TempBuffer[Pos--] = '\\';
   }
   OS << StringView(&TempBuffer[Pos + 1]);
 }

Modified: llvm/trunk/test/Demangle/ms-string-literals.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Demangle/ms-string-literals.test?rev=358856&r1=358855&r2=358856&view=diff
==============================================================================
--- llvm/trunk/test/Demangle/ms-string-literals.test (original)
+++ llvm/trunk/test/Demangle/ms-string-literals.test Sun Apr 21 09:58:25 2019
@@ -781,3 +781,13 @@
 
 ??_C at _0CC@MBPKDIAM at a?$AA?$AA?$AAb?$AA?$AA?$AAc?$AA?$AA?$AAd?$AA?$AA?$AAe?$AA?$AA?$AAf?$AA?$AA?$AAg?$AA?$AA?$AAh?$AA?$AA?$AA@
 ; CHECK: u"a\0b\0c\0d\0e\0f\0g\0h\0"...
+
+; This is technically not a valid u32 string since the character in it is not
+; <= 0x10FFFF like unicode demands. (Also, the crc doesn't match the contents.)
+; It's here because this input used to cause a stack overflow in outputHex().
+
+; FIXME: The demangler currently writes for \x codes for a single U string
+; character. That's incorrect since that would mangle two four characters.
+
+??_C at _07LJGFEJEB@D3?$CC?$BB?$AA?$AA?$AA?$AA@)
+; CHECK: U"\x11\x22\x33\x44"