Infinite loop in demangler #50749
Description
| Bugzilla Link | 51407 |
| Resolution | FIXED |
| Resolved on | Aug 17, 2021 15:18 |
| Version | trunk |
| OS | All |
| CC | @ldionne |
| Fixed by commit(s) | f0fcd42 |
Extended Description
A libfuzzer run has discovered some inputs for which the demangler does not terminate.
When minimized, it looks like this: _Zcv1BIRT_EIS1_E
Deciphered:
_Z
cv - conversion operator
* result type
1B - "B"
I - template args begin
R - reference type <.
T_ - forward template reference | *
E - template args end | |
| |
* parameter type | |
I - template args begin | |
S1_ - substitution #1 * <'
E - template args end
The reason is: template-parameter refs in conversion operator result type create forward-references, while substitutions are instantly resolved via back-references. Together these can create a reference loop. It causes an infinite loop in ReferenceType::collapse().
I see three possible ways to avoid these loops:
- check if resolving a forward reference creates a loop and reject the invalid input (hard to traverse AST at this point)
- check if a substitution contains a malicious forward reference and reject the invalid input (hard to traverse AST at this point; substitutions are quite common: may affect performance; hard to clearly detect loops at this point)
- detect loops in ReferenceType::collapse() (cannot reject the input)