llvm-undname: Fix nullptr deref on invalid conversion operator names in template...

A ConversionOperatorIdentifierNode has a TargetType which is read when
printing it, but if the ConversionOperatorIdentifierNode appears in a
template argument there's nothing that can provide the TargetType.
Normally the COIN is a symbol (leaf) name and takes its TargetType from the
symbol's type, but in a template argument context the COIN can only be
either a non-leaf name piece or a type, and must hence be invalid.

Similar to the COIN check in demangleDeclarator().

Found by oss-fuzz.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@358421 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/Demangle/MicrosoftDemangle.cpp b/lib/Demangle/MicrosoftDemangle.cpp
index 2b41c0037f9b183ad60d45d000d9a8fcd80babc1..c3bdfa23d1f5507893fe85208fceb9c4dcf27cb8 100644 (file)
--- a/lib/Demangle/MicrosoftDemangle.cpp
+++ b/lib/Demangle/MicrosoftDemangle.cpp
@@ -947,8 +947,17 @@ Demangler::demangleTemplateInstantiationName(StringView &MangledName,
   if (Error)
     return nullptr;
 
-  if (NBB & NBB_Template)
+  if (NBB & NBB_Template) {
+    // NBB_Template is only set for types and non-leaf names ("a::" in "a::b").
+    // A conversion operator only makes sense in a leaf name , so reject it in
+    // NBB_Template contexts.
+    if (Identifier->kind() == NodeKind::ConversionOperatorIdentifier) {
+      Error = true;
+      return nullptr;
+    }
+
     memorizeIdentifier(Identifier);
+  }
 
   return Identifier;
 }

diff --git a/test/Demangle/invalid-manglings.test b/test/Demangle/invalid-manglings.test
index 869d63a274f6e0569e3620030f46e433a4bd60dc..2673770c1deb61c7de52429eb1b2c17cd13dccf3 100644 (file)
--- a/test/Demangle/invalid-manglings.test
+++ b/test/Demangle/invalid-manglings.test
@@ -129,3 +129,8 @@
 ; CHECK-EMPTY:
 ; CHECK-NEXT: ??_R4foo@@
 ; CHECK-NEXT: error: Invalid mangled name
+
+?foo@?$?BH@@QAEHXZ
+; CHECK-EMPTY:
+; CHECK-NEXT: ?foo@?$?BH@@QAEHXZ
+; CHECK-NEXT: error: Invalid mangled name