Open llvmbot opened 7 years ago
llvmbot
commented
7 years ago I was looking into the reported stack-overflows. As a quick-fix one could track and bound the recursion depth. However, using an arbitrary constant is tricky and might violate the coding practices here at LLVM (It does for GNU). A proper patch would turn the recursion into iteration. However, this requires major refactoring.
Thoughts?
kcc
commented
7 years ago Yes, the demangler is full of stack overflows. I suggest to not file many different bugs, but keep just one bug open instead. Maybe just add stuff below https://bugs.llvm.org//show_bug.cgi?id=31031#c6
oss-fuzz has seen stack overflows too, but did not report upstream because, sadly, such bugs are not getting fixed anyway. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=985
Extended Description
Dear All,
This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham.
First, you need to build the project (https://github.com/llvm-mirror/libcxxabi/blob/master/fuzz/cxa_demangle_fuzzer.cpp) to obtain the binary file.
To reproduce: $ for G in $(seq 1 15000); do printf "G"; done > test; echo "" >> test; cat test | ./cxa_demangle_fuzzer
ASAN says: ==27344==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdf42bbd60 (pc 0x00000084f33b bp 0x7ffdf42bc730 sp 0x7ffdf42bbd60 T0)
0 0x84f33a in char const cxxabiv1::(anonymous namespace)::parse_builtin_type<cxxabiv1::(anonymous namespace)::Db>(char const, char const*, __cxxabiv1::(anonymous namespace)::Db&) /src/llvm_libcxxabi/src/cxa_demangle.cpp:379
Regards, Manh-Dung Nguyen