From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-78766-listarch-gdb-patches=sources.redhat.com@sourceware.org>
Received: (qmail 6733 invoked by alias); 27 Feb 2011 16:55:31 -0000
Received: (qmail 6723 invoked by uid 22791); 27 Feb 2011 16:55:31 -0000
X-SWARE-Spam-Status: No, hits=-1.9 required=5.0	tests=AWL,BAYES_00,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Received: from mail.codesourcery.com (HELO mail.codesourcery.com) (38.113.113.100)    by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sun, 27 Feb 2011 16:55:27 +0000
Received: (qmail 28947 invoked from network); 27 Feb 2011 16:55:25 -0000
Received: from unknown (HELO scottsdale.localnet) (pedro@127.0.0.2)  by mail.codesourcery.com with ESMTPA; 27 Feb 2011 16:55:25 -0000
From: Pedro Alves <pedro@codesourcery.com>
To: gdb-patches@sourceware.org
Subject: Re: [RFA] off by one array reference in i386-low.c/i386_show_dr
Date: Sun, 27 Feb 2011 17:01:00 -0000
User-Agent: KMail/1.13.5 (Linux/2.6.35-25-generic; KDE/4.6.0; x86_64; ; )
Cc: Michael Snyder <msnyder@vmware.com>, Doug Evans <dje@google.com>
References: <4D698427.2050301@vmware.com>
In-Reply-To: <4D698427.2050301@vmware.com>
MIME-Version: 1.0
Content-Type: Text/Plain;  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Message-Id: <201102271655.15841.pedro@codesourcery.com>
X-IsSubscribed: yes
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
X-SW-Source: 2011-02/txt/msg00833.txt.bz2

On Saturday 26 February 2011 22:52:23, Michael Snyder wrote:
> I'm not 100 percent sure this is right, but I do know that
> as written, it will overflow the array dr_mirror.  

How?  'i' is incremented twice on each iteration.

> Index: i386-low.c
> ===================================================================
> RCS file: /cvs/src/src/gdb/gdbserver/i386-low.c,v
> retrieving revision 1.5
> diff -u -p -u -p -r1.5 i386-low.c
> --- i386-low.c  1 Jan 2011 15:33:24 -0000       1.5
> +++ i386-low.c  26 Feb 2011 22:48:38 -0000
> @@ -195,7 +195,7 @@ i386_show_dr (struct i386_debug_reg_stat
>  \tDR%d: addr=0x%s, ref.count=%d  DR%d: addr=0x%s, ref.count=%d\n",
>               i, paddress (state->dr_mirror[i]),
>               state->dr_ref_count[i],
> -             i + 1, paddress (state->dr_mirror[i + 1]),
> +             i + 1, paddress (state->dr_mirror[i]),
>               state->dr_ref_count[i + 1]);

Even if there's chance of overflow that I'm not
seeing, this change is obviously wrong.

>        i++;
>      }

-- 
Pedro Alves