demangler_gnu crashes with BAD_ACCESS in d_unqualified_name function

[MarcSchoenefeld]

Describe the bug

There is a memory access violation (BAD_ACCESS) in the d_unqualified_name function [1] of demangler_gnu, as demonstrated with the string "_ZN11951592242730AnimationOverlayHandlerImplD18446744073709551616Ev" . This leads to a segmentation fault when launching the demangler_gnu process.

[1] 

ghidra/GPL/DemanglerGnu/src/demangler_gnu/c/cp-demangle.c

Line 1486 in 6ae0c1c

d_unqualified_name (struct d_info *di)

To Reproduce
lldb ./GPL/DemanglerGnu/os/osx64/demangler_gnu _ZN11951592242730AnimationOverlayHandlerImplD18446744073709551616Ev

(lldb) target create "./GPL/DemanglerGnu/os/osx64/demangler_gnu"
Current executable set to './GPL/DemanglerGnu/os/osx64/demangler_gnu' (x86_64).
(lldb) settings set -- target.run-args "_ZN11951592242730AnimationOverlayHandlerImplD18446744073709551616Ev"
(lldb) r
Process 46162 launched: '/Users/marc/Downloads/ghidra_9.1.1_PUBLIC/GPL/DemanglerGnu/os/osx64/demangler_gnu' (x86_64)
Process 46162 stopped

• thread Ghidra does not render correctly with GDK_SCALE set (HiDPI display) #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffea228f89d)
  frame #0: 0x0000000100009eab demangler_gnud_unqualified_name + 571 demangler_gnud_unqualified_name:
  -> 0x100009eab <+571>: movsx ecx, byte ptr [rax]
  0x100009eae <+574>: cmp ecx, 0x42
  0x100009eb1 <+577>: jne 0x100009ec8 ; <+600>
  0x100009eb7 <+583>: mov rdi, qword ptr [rbp - 0x10]
  Target 0: (demangler_gnu) stopped.
  (lldb) bt
• thread Ghidra does not render correctly with GDK_SCALE set (HiDPI display) #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffea228f89d)
  • frame #0: 0x0000000100009eab demangler_gnud_unqualified_name + 571 frame #1: 0x000000010000a09f demangler_gnud_prefix + 255
    frame OSX: scrolling only goes down #2: 0x0000000100009986 demangler_gnud_nested_name + 166 frame #3: 0x000000010000901f demangler_gnud_name + 79
    frame README.md: Prevent redundant HTTP autolink #4: 0x00000001000023d1 demangler_gnud_encoding + 81 frame #5: 0x0000000100002279 demangler_gnucplus_demangle_mangled_name + 201
    frame RCE Through JDWP Debug Port #6: 0x000000010000826c demangler_gnud_demangle_callback + 556 frame #7: 0x0000000100007f91 demangler_gnud_demangle + 65
    frame DWARF information in Go ELF exe causes problems for Auto-Analysis #8: 0x0000000100007f3f demangler_gnucplus_demangle_v3 + 31 frame #9: 0x00000001000103cc demangler_gnucplus_demangle + 188
    frame "Windows x86 PE Exception Handling" Auto-Analysis pass is extremely slow #10: 0x0000000100011b42 demangler_gnudemangle_it + 130 frame #11: 0x000000010001164b demangler_gnumain + 507
    frame Any sort of rebase option? #12: 0x00007fff6b67c3d5 libdyld.dylibstart + 1 frame #13: 0x00007fff6b67c3d5 libdyld.dylibstart + 1
    (lldb) register read rax
    rax = 0x00007ffea228f89d

Expected behavior
No crash, return proper error return code.

Environment (please complete the following information):

• OS: [e.g. macOS 10.14.6]
• Java Version: [13.0.2]
• Ghidra Version: [ 9.1.1]

Additional context
In the long run the Ghidra default demangler could be implemented in a language which does not allow memory faults when using attacker created mangled symbols.

[astrelsky]

Related to #1195

The gnu demangler is a modifier version of well the gnu demangler. The issue may have existed within libiberty at some point. It may be solvable looking through the commit history in gcc.

[dragonmacher]

Our version of the gnu demangler is quite old, probably almost 10 years at this point. We intend to update it, but have not yet done so.