From: Yao Qi <qiyaoltc@gmail.com>
To: gdb-patches@sourceware.org
Cc: keiths@redhat.com
Subject: [PATCH master/7.12] Fix heap-buffer-overflow in explicit_location_lex_one
Date: Fri, 12 Aug 2016 12:45:00 -0000 [thread overview]
Message-ID: <1471005890-24205-1-git-send-email-yao.qi@linaro.org> (raw)
I build GDB with -fsanitize=address, and see the error in tests,
(gdb) PASS: gdb.linespec/ls-errs.exp: lang=C++: break 3 foo
break -line 3 foo^M
=================================================================^M
==4401==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000047487 at pc 0x819d8e bp 0x7fff4e4e6bb0 sp 0x7fff4e4e6ba8^M
READ of size 1 at 0x603000047487 thread T0^[[1m^[[0m^M
#0 0x819d8d in explicit_location_lex_one /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:502^M
#1 0x81a185 in string_to_explicit_location(char const**, language_defn const*, int) /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:556^M
#2 0x81ac10 in string_to_event_location(char**, language_defn const*) /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:687^
the code in question is:
> /* Special case: C++ operator,. */
> if (language->la_language == language_cplus
> && strncmp (*inp, "operator", 8) <--- [1]
> && (*inp)[9] == ',')
> (*inp) += 9;
> ++(*inp);
The error is caused by the access to (*inp)[9] if 9 is out of its bounds.
However [1] looks odd to me, because if strncmp returns true (non-zero),
the following check "(*inp)[9] == ','" makes no sense any more. I
suspect it was a typo in the code we meant to "strncmp () == 0". Another
problem in the code above is that if *inp is "operator,", we first
increment *inp by 9, and then increment it by one again, which is wrong
to me. We should only increment *inp by 8 to skip "operator", and go
back to the loop header to decide where we stop.
Is it OK?
gdb:
2016-08-11 Yao Qi <yao.qi@linaro.org>
* location.c (explicit_location_lex_one): Compare the return
value of strncmp with zero. Don't check (*inp)[9]. Increment
*inp by 8.
---
gdb/location.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/gdb/location.c b/gdb/location.c
index 071d262..65116c7 100644
--- a/gdb/location.c
+++ b/gdb/location.c
@@ -498,9 +498,8 @@ explicit_location_lex_one (const char **inp,
{
/* Special case: C++ operator,. */
if (language->la_language == language_cplus
- && strncmp (*inp, "operator", 8)
- && (*inp)[9] == ',')
- (*inp) += 9;
+ && strncmp (*inp, "operator", 8) == 0)
+ (*inp) += 8;
++(*inp);
}
}
--
1.9.1
next reply other threads:[~2016-08-12 12:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-12 12:45 Yao Qi [this message]
2016-08-12 16:39 ` Keith Seitz
2016-08-15 11:34 ` Yao Qi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471005890-24205-1-git-send-email-yao.qi@linaro.org \
--to=qiyaoltc@gmail.com \
--cc=gdb-patches@sourceware.org \
--cc=keiths@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox