git: 12be6f12e87a - main - Fix memory corruption in C++ demangler

From: Warner Losh <imp_at_FreeBSD.org>
Date: Fri, 10 May 2024 02:01:00 UTC 
The branch main has been updated by imp:

URL: https://cgit.FreeBSD.org/src/commit/?id=12be6f12e87abc3e1edd3cc6cdc20334bdd63380

commit 12be6f12e87abc3e1edd3cc6cdc20334bdd63380
Author:     Justine Tunney <jtunney@gmail.com>
AuthorDate: 2024-05-10 01:55:45 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2024-05-10 01:55:52 +0000

    Fix memory corruption in C++ demangler
    
    The __cxa_demangle_gnu3() and cpp_demangle_gnu3() functions segfault on
    various libcxxabi test cases due to a copy and paste error. This change
    fixes that.
    
    This is a subset of https://github.com/libcxxrt/libcxxrt/pull/34 which
    fixes the immediate problem.
    
    Reviewed by: imp, emaste (I think)
    Pull Request: https://github.com/freebsd/freebsd-src/pull/1222
---
 contrib/elftoolchain/libelftc/libelftc_dem_gnu3.c | 2 +-
 contrib/libcxxrt/libelftc_dem_gnu3.c              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/elftoolchain/libelftc/libelftc_dem_gnu3.c b/contrib/elftoolchain/libelftc/libelftc_dem_gnu3.c
index a84ca2649497..223878aa34ea 100644
--- a/contrib/elftoolchain/libelftc/libelftc_dem_gnu3.c
+++ b/contrib/elftoolchain/libelftc/libelftc_dem_gnu3.c
@@ -2138,7 +2138,7 @@ cpp_demangle_read_sname(struct cpp_demangle_data *ddata)
 	assert(ddata->cur_output->size > 0);
 	if (vector_read_cmd_find(&ddata->cmd, READ_TMPL) == NULL)
 		ddata->last_sname =
-		    ddata->cur_output->container[ddata->output.size - 1];
+		    ddata->cur_output->container[ddata->cur_output->size - 1];
 
 	ddata->cur += len;
 
diff --git a/contrib/libcxxrt/libelftc_dem_gnu3.c b/contrib/libcxxrt/libelftc_dem_gnu3.c
index e75d1694562e..dbdbd6f2414e 100644
--- a/contrib/libcxxrt/libelftc_dem_gnu3.c
+++ b/contrib/libcxxrt/libelftc_dem_gnu3.c
@@ -2472,7 +2472,7 @@ cpp_demangle_read_sname(struct cpp_demangle_data *ddata)
 	assert(ddata->cur_output->size > 0);
 	if (vector_read_cmd_find(&ddata->cmd, READ_TMPL) == NULL)
 		ddata->last_sname =
-		    ddata->cur_output->container[ddata->output.size - 1];
+		    ddata->cur_output->container[ddata->cur_output->size - 1];
 
 	ddata->cur += len;