s1gse9v
commented
1 year ago At least in my case the problem is solved by just doubling the size of buf. Is the overhead of adding bounds-checking or heap-allocating a buffer worth it here?
Closed s1gse9v closed 1 year ago
s1gse9v
commented
1 year ago At least in my case the problem is solved by just doubling the size of buf. Is the overhead of adding bounds-checking or heap-allocating a buffer worth it here?
wargio
commented
1 year ago i am not amazed, given that code is very old :/ thank you for the report.
wargio
commented
1 year ago can't repro, are you sure on the string?
s1gse9v
commented
1 year ago Fairly sure, the sscanf converts EEEEET into 978670, which should shift the trailing t in int%i_t just out of bounds of buf[10].
wargio
commented
1 year ago i can add some fixes, since that value should never be >64 etc..
When encountering the mangled symbol
I_EEEEET_PNS0_7IsolateENS0_7Runtime10FunctionIdEPKNS2_16TSCallDescriptorENS2_7OpIndexESU_RKT0_,demangle_fund_typeinsrc/gnu_v2/cplus-dem.coverflows the stack-allocated bufferchar buf[10], initilialized incplus-dem.c:2744. The offending logic is located in the switch case'I'atcplus-dem.c:2859, which reads the sequence of characters enclosed in_after the initialIas a hex value in2879. The read value is then converted to a decimalintand written back tobuf, overflowing it. Since I don't fully understand demangling, I'm not sure how to create a minimal working example.