From ebd01b0ae68f7eff7e671f5b2df921e59e73e9a9 Mon Sep 17 00:00:00 2001
From: Jason Molenda <jmolenda@apple.com>
Date: Thu, 30 Apr 2015 23:42:56 +0000
Subject: [PATCH] Guard against the case where the Write method is called with
 an argument pointing into the middle of m_buffer and then Write() calls
 GrowBuffer() to resize m_buffer, leaving the content argument pointing into
 deallocated memory.

Patch by Kate Stone.
<rdar://problem/20756722>

llvm-svn: 236286
---
 lldb/source/Core/FastDemangle.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lldb/source/Core/FastDemangle.cpp b/lldb/source/Core/FastDemangle.cpp
index 53e8972..0f12af2 100644
--- a/lldb/source/Core/FastDemangle.cpp
+++ b/lldb/source/Core/FastDemangle.cpp
@@ -383,10 +383,19 @@ private:
         char *end_m_write_ptr = m_write_ptr + content_length;
         if (end_m_write_ptr > m_buffer_end)
         {
-            GrowBuffer(end_m_write_ptr - m_buffer_end);
+            if (content >= m_buffer && content < m_buffer_end) 
+            {
+                long offset = content - m_buffer;
+                GrowBuffer (end_m_write_ptr - m_buffer_end);
+                content = m_buffer + offset;
+            }
+            else 
+            {
+                GrowBuffer (end_m_write_ptr - m_buffer_end);
+            }
             end_m_write_ptr = m_write_ptr + content_length;
         }
-        memcpy(m_write_ptr, content, content_length);
+        memcpy (m_write_ptr, content, content_length);
         m_write_ptr = end_m_write_ptr;
     }
 #define WRITE(x) Write(x, sizeof (x) - 1)
-- 
2.7.4