A buffer overflow in cplus-dem.c is caused when Valgrind tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary. Upstream: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 Reproducible: Always Steps to Reproduce: $ cat compileme.c #include<stdio.h> #include<stdlib.h> const char* ____________________X00020A___R0020A__U000R03000N99999999_020A__K000(){ char *p; p = (char *) malloc(19); p = (char *) malloc(12); free(p); p = (char *) malloc(16); return "Hello World!"; } int main() { printf("%s\n",____________________X00020A___R0020A__U000R03000N99999999_020A__K000()); return 0; } $ g++ compileme.c -o temp $ sed -b s/Z68/_20/g temp > valgrindme $ chmod u+x valgrindme $ ./valgrindme Hello World! $ valgrind --leak-check=yes ./valgrindme
Thanks for letting us know. We'll watch upstream as the bug is in their shop. We just pull in the code from the GCC demangler. I believe that upstream is actually binutils rather than gcc as the demangling code is part of libiberty. If you don't get any response from gcc you might want to raise the bug there. BTW: the c++filt tool (part of binutils) has the same issue.
Created attachment 101012 [details] Update libiberty demangler This particular bug (and many more issues) has been fixed upstream now. Update the libiberty demangler using the auxprogs/update-demangler script. There were various extensions and bug fixes since our last import. Add new D language demangler file d-demangle.c and update the vg_libciface.h header with some new constructs used (strtol, xmalloc_failed, xmemdup, XDELETEVEC, XDUPVEC).
valgrind svn r15951