luo980/glog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: stack buffer overflow (#957)

Browse Source
This commit is contained in:
Sergiu Deitsch 2023-10-06 01:47:56 +02:00 committed by GitHub
parent e567cfc442
commit 319a0dfba4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/demangle.cc
View File

@ -36,6 +36,7 @@
#include "demangle.h" #include "demangle.h"
#include <cstddef>
#include <cstdio> // for nullptr #include <cstdio> // for nullptr
#include <limits> #include <limits>
@ -222,6 +223,10 @@ static bool ZeroOrMore(ParseFunc parse_func, State *state) {
// is set to true for later use. The output string is ensured to // is set to true for later use. The output string is ensured to
// always terminate with '\0' as long as there is no overflow. // always terminate with '\0' as long as there is no overflow.
static void Append(State *state, const char * const str, ssize_t length) { static void Append(State *state, const char * const str, ssize_t length) {
if (state->out_cur == nullptr) {
state->overflowed = true;
return;
}
for (ssize_t i = 0; i < length; ++i) { for (ssize_t i = 0; i < length; ++i) {
if (state->out_cur + 1 < state->out_end) { // +1 for '\0' if (state->out_cur + 1 < state->out_end) { // +1 for '\0'
*state->out_cur = str[i]; *state->out_cur = str[i];
@ -667,6 +672,10 @@ static bool ParseIdentifier(State *state, ssize_t length) {
} else { } else {
MaybeAppendWithLength(state, state->mangled_cur, length); MaybeAppendWithLength(state, state->mangled_cur, length);
} }
if (length < 0 ||
static_cast<std::size_t>(length) > StrLen(state->mangled_cur)) {
return false;
}
state->mangled_cur += length; state->mangled_cur += length;
return true; return true;
} }