Fix from Dale Hawkins:

* cplus-dem.c (mop_up): Set typevec_size to zero, so it'll be
reallocated properly if we use it again.
* cplus-dem.c (demangle_fund_type): Check for buffer overrun.  Be
stricter about syntax.  Always null-terminate string.

From-SVN: r26562

diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
index a484922..e834d2a 100644 (file)
--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
@@ -880,6 +880,7 @@ mop_up (work, declp, success)
     {
       free ((char *) work -> typevec);
       work -> typevec = NULL;
+      work -> typevec_size = 0;
     }
   if (work->tmpl_argvec)
     {
@@ -3377,14 +3378,22 @@ demangle_fund_type (work, mangled, result)
        {
          int i;
          ++(*mangled);
-         for (i = 0; **mangled && **mangled != '_'; ++(*mangled), ++i)
+         for (i = 0;
+              (i < sizeof (buf) - 1 && **mangled && **mangled != '_');
+              ++(*mangled), ++i)
            buf[i] = **mangled;
+         if (**mangled != '_')
+           {
+             success = 0;
+             break;
+           }
          buf[i] = '\0';
          ++(*mangled);
        }
       else
        {
          strncpy (buf, *mangled, 2);
+         buf[2] = '\0';
          *mangled += 2;
        }
       sscanf (buf, "%x", &dec);