From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 127073 invoked by alias); 19 Mar 2015 21:44:21 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 126986 invoked by uid 89); 19 Mar 2015 21:44:20 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: ozlabs.org Received: from ozlabs.org (HELO ozlabs.org) (103.22.144.67) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Thu, 19 Mar 2015 21:44:19 +0000 Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPSA id 9651F14007F; Fri, 20 Mar 2015 08:44:13 +1100 (AEDT) Date: Thu, 19 Mar 2015 21:44:00 -0000 From: Anton Blanchard To: gdb-patches@sourceware.org, eliz@gnu.org Subject: Re: [PATCH] TUI: Fix buffer overflow in tui_expand_tabs Message-ID: <20150320084412.720ac565@kryten> In-Reply-To: <20150317103009.538f2b3d@kryten> References: <20150317103009.538f2b3d@kryten> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-SW-Source: 2015-03/txt/msg00603.txt.bz2 Hi, > tui_expand_tabs writes past the end of the buffers it allocates > because we forget to zero out col. This results in us adding more > spaces than we need to get aligned, and we write past the end of the > allocated buffer. > > This was noticed on Ubuntu Vivid ppc64le, where gdb would SEGV when > using the TUI. Any feedback on this? We either need to fix it, or back out commit 312809f88389 ("Make sure TABs are expanded in TUI windows on MS-Windows.") Anton > 2015-03-17 Anton Blanchard > > gdb/ChangeLog: > * tui/tui-io.c (tui_expand_tabs): Zero col before reusing. > --- > gdb/ChangeLog | 4 ++++ > gdb/tui/tui-io.c | 2 +- > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/gdb/ChangeLog b/gdb/ChangeLog > index d984565..4e0177a 100644 > --- a/gdb/ChangeLog > +++ b/gdb/ChangeLog > @@ -1,3 +1,7 @@ > +2015-03-17 Anton Blanchard > + > + * tui/tui-io.c (tui_expand_tabs): Zero col before reusing. > + > 2015-03-16 John Baldwin > > * fbsd-tdep.c (fbsd_make_corefile_notes): Fetch all target > registers diff --git a/gdb/tui/tui-io.c b/gdb/tui/tui-io.c > index a8af9b6..02ae17d 100644 > --- a/gdb/tui/tui-io.c > +++ b/gdb/tui/tui-io.c > @@ -690,7 +690,7 @@ tui_expand_tabs (const char *string, int col) > ret = q = xmalloc (strlen (string) + n_adjust + 1); > > /* 2. Copy the original string while replacing TABs with spaces. > */ > - for (s = string; s; ) > + for (col = 0, s = string; s; ) > { > char *s1 = strpbrk (s, "\t"); > if (s1)