From 6900134167b2c456705b577d6a9b3b5a455df7e1 Mon Sep 17 00:00:00 2001 From: Nico Weber Date: Mon, 15 Apr 2019 16:42:44 +0000 Subject: [PATCH] llvm-undname: Fix nullptr deref on invalid conversion operator names in template args A ConversionOperatorIdentifierNode has a TargetType which is read when printing it, but if the ConversionOperatorIdentifierNode appears in a template argument there's nothing that can provide the TargetType. Normally the COIN is a symbol (leaf) name and takes its TargetType from the symbol's type, but in a template argument context the COIN can only be either a non-leaf name piece or a type, and must hence be invalid. Similar to the COIN check in demangleDeclarator(). Found by oss-fuzz. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@358421 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Demangle/MicrosoftDemangle.cpp | 11 ++++++++++- test/Demangle/invalid-manglings.test | 5 +++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/Demangle/MicrosoftDemangle.cpp b/lib/Demangle/MicrosoftDemangle.cpp index 2b41c0037f9..c3bdfa23d1f 100644 --- a/lib/Demangle/MicrosoftDemangle.cpp +++ b/lib/Demangle/MicrosoftDemangle.cpp @@ -947,8 +947,17 @@ Demangler::demangleTemplateInstantiationName(StringView &MangledName, if (Error) return nullptr; - if (NBB & NBB_Template) + if (NBB & NBB_Template) { + // NBB_Template is only set for types and non-leaf names ("a::" in "a::b"). + // A conversion operator only makes sense in a leaf name , so reject it in + // NBB_Template contexts. + if (Identifier->kind() == NodeKind::ConversionOperatorIdentifier) { + Error = true; + return nullptr; + } + memorizeIdentifier(Identifier); + } return Identifier; } diff --git a/test/Demangle/invalid-manglings.test b/test/Demangle/invalid-manglings.test index 869d63a274f..2673770c1de 100644 --- a/test/Demangle/invalid-manglings.test +++ b/test/Demangle/invalid-manglings.test @@ -129,3 +129,8 @@ ; CHECK-EMPTY: ; CHECK-NEXT: ??_R4foo@@ ; CHECK-NEXT: error: Invalid mangled name + +?foo@?$?BH@@QAEHXZ +; CHECK-EMPTY: +; CHECK-NEXT: ?foo@?$?BH@@QAEHXZ +; CHECK-NEXT: error: Invalid mangled name -- 2.11.0