From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26979 invoked by alias); 28 Feb 2011 04:50:49 -0000 Received: (qmail 26970 invoked by uid 22791); 28 Feb 2011 04:50:48 -0000 X-SWARE-Spam-Status: No, hits=-6.3 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,TW_BJ,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 28 Feb 2011 04:50:40 +0000 Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p1S4odrW019096 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 27 Feb 2011 23:50:39 -0500 Received: from host1.dyn.jankratochvil.net (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id p1S4ob48017519 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 27 Feb 2011 23:50:38 -0500 Received: from host1.dyn.jankratochvil.net (localhost [127.0.0.1]) by host1.dyn.jankratochvil.net (8.14.4/8.14.4) with ESMTP id p1S4oapr024655; Mon, 28 Feb 2011 05:50:36 +0100 Received: (from jkratoch@localhost) by host1.dyn.jankratochvil.net (8.14.4/8.14.4/Submit) id p1S4oZuO024650; Mon, 28 Feb 2011 05:50:35 +0100 Date: Mon, 28 Feb 2011 04:52:00 -0000 From: Jan Kratochvil To: Michael Snyder Cc: "gdb-patches@sourceware.org" Subject: Re: [commit] objc-lang.c: avoid string overrun Message-ID: <20110228045034.GB12861@host1.dyn.jankratochvil.net> References: <4D6B0553.6010803@vmware.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D6B0553.6010803@vmware.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2011-02/txt/msg00875.txt.bz2 Hi Michael, On Mon, 28 Feb 2011 03:15:47 +0100, Michael Snyder wrote: > --- objc-lang.c 10 Jan 2011 20:38:49 -0000 1.91 > +++ objc-lang.c 28 Feb 2011 02:13:37 -0000 char myregexp[2048]; > @@ -720,7 +720,7 @@ selectors_info (char *regexp, int from_t > strcpy(myregexp, ".*]"); > else > { > - strcpy(myregexp, regexp); > + strncpy(myregexp, regexp, sizeof (myregexp) - 1); > if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */ > myregexp[strlen(myregexp) - 1] = ']'; /* end of method name */ > else I agree it fixes a bug. But still if the limit applies then the immediately following strlen will read uninitialized memory myregexp[2047]. Do you agree with this fix instead? (Yes, the code should be completely different but we fix only bugs now.) Thanks, Jan gdb/ 2011-02-28 Jan Kratochvil * objc-lang.c (selectors_info): Error on too long REGEXP. --- a/gdb/objc-lang.c +++ b/gdb/objc-lang.c @@ -720,7 +720,9 @@ selectors_info (char *regexp, int from_tty) strcpy(myregexp, ".*]"); else { - strncpy(myregexp, regexp, sizeof (myregexp) - 1); + if (sizeof (myregexp) < strlen (regexp) + 1) + error (_("Regexp is too long: %s"), regexp); + strcpy(myregexp, regexp); if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */ myregexp[strlen(myregexp) - 1] = ']'; /* end of method name */ else