acaf403c63
Currently the backing buffer of a `std::vector<char>` is passed[1] to `Demangler.getFunctionBaseName`. However, deeply inside the call stack `OutputBuffer::grow` will call[2] `std::realloc` if it needs to grow the buffer, leading to UB. The demangler APIs specify[3] that "`Buf` and `N` behave like the second and third parameters to `__cxa_demangle`" and the docs for the latter say[4] that the output buffer must be allocated with `malloc` (but can also be `NULL` and will then be realloced accordingly). Note: PR #135863 changed this from a stack array to a `std::vector` and increased the size to 65K, but this can still lead to a crash if the demangled name is longer than that - yes, I'm surprised that a >65K-long function name happens in practice... [1]:d7e631c7cd/llvm/lib/Transforms/IPO/SampleProfileMatcher.cpp (L744)[2]:d7e631c7cd/llvm/include/llvm/Demangle/Utility.h (L50)[3]:d7e631c7cd/llvm/include/llvm/Demangle/Demangle.h (L92-L93)[4]: https://gcc.gnu.org/onlinedocs/libstdc++/libstdc++-html-USERS-4.3/a01696.html
37 KiB
37 KiB