From 319a0dfba4ac4e9b2d6830574afaf06debc8435a Mon Sep 17 00:00:00 2001
From: Sergiu Deitsch <sergiud@users.noreply.github.com>
Date: Fri, 6 Oct 2023 01:47:56 +0200
Subject: [PATCH] fix: stack buffer overflow (#957)

---
 src/demangle.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/demangle.cc b/src/demangle.cc
index 1310c3b3f..090ac570c 100644
--- a/src/demangle.cc
+++ b/src/demangle.cc
@@ -36,6 +36,7 @@
 
 #include "demangle.h"
 
+#include <cstddef>
 #include <cstdio>  // for nullptr
 #include <limits>
 
@@ -222,6 +223,10 @@ static bool ZeroOrMore(ParseFunc parse_func, State *state) {
 // is set to true for later use.  The output string is ensured to
 // always terminate with '\0' as long as there is no overflow.
 static void Append(State *state, const char * const str, ssize_t length) {
+  if (state->out_cur == nullptr) {
+    state->overflowed = true;
+    return;
+  }
   for (ssize_t i = 0; i < length; ++i) {
     if (state->out_cur + 1 < state->out_end) {  // +1 for '\0'
       *state->out_cur = str[i];
@@ -667,6 +672,10 @@ static bool ParseIdentifier(State *state, ssize_t length) {
   } else {
     MaybeAppendWithLength(state, state->mangled_cur, length);
   }
+  if (length < 0 ||
+      static_cast<std::size_t>(length) > StrLen(state->mangled_cur)) {
+    return false;
+  }
   state->mangled_cur += length;
   return true;
 }