From: Joel Brobecker <brobecker@adacore.com>
To: Tom Tromey <tom@tromey.com>
Cc: gdb-patches@sourceware.org
Subject: Re: [PATCH] Fix buffer overflow in ada-lang.c:move_bits
Date: Thu, 01 Nov 2018 15:35:00 -0000 [thread overview]
Message-ID: <20181101153517.GA2705@adacore.com> (raw)
In-Reply-To: <20181024162037.21024-1-tom@tromey.com>
Hi Tom,
> -fsanitize=address showed that ada-lang.c:move_bits can run off the
> end of the source buffer. I believe this patch fixes the problem, by
> arranging not to read from the source buffer once there are sufficient
> bits in the accumulator.
>
> gdb/ChangeLog
> 2018-10-23 Tom Tromey <tom@tromey.com>
>
> * ada-lang.c (move_bits): Don't run off the end of the source
> buffer.
Thanks for the patch!
This is a part of the code that always forces me to think twice
(or ten times), each time I try to touch it. I should really start
adding comments to this code that detail what we are trying to do
as we do it.
I tested your change through our testsuite on the various baremetal
targets we have, and noticed that it causes regressions on ppc and arm
targets. It's hopefully something small, but just being back from
a holiday, I'm a bit tied up at work; I'll put that issue on my TODO
list to look at further.
> ---
> gdb/ChangeLog | 5 +++++
> gdb/ada-lang.c | 18 ++++++++++++------
> 2 files changed, 17 insertions(+), 6 deletions(-)
>
> diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c
> index 1462271a71..7288d65df6 100644
> --- a/gdb/ada-lang.c
> +++ b/gdb/ada-lang.c
> @@ -2682,9 +2682,12 @@ move_bits (gdb_byte *target, int targ_offset, const gdb_byte *source,
> {
> int unused_right;
>
> - accum = (accum << HOST_CHAR_BIT) + (unsigned char) *source;
> - accum_bits += HOST_CHAR_BIT;
> - source += 1;
> + if (n > accum_bits)
> + {
> + accum = (accum << HOST_CHAR_BIT) + (unsigned char) *source;
> + accum_bits += HOST_CHAR_BIT;
> + source += 1;
> + }
> chunk_size = HOST_CHAR_BIT - targ_offset;
> if (chunk_size > n)
> chunk_size = n;
> @@ -2707,9 +2710,12 @@ move_bits (gdb_byte *target, int targ_offset, const gdb_byte *source,
>
> while (n > 0)
> {
> - accum = accum + ((unsigned char) *source << accum_bits);
> - accum_bits += HOST_CHAR_BIT;
> - source += 1;
> + if (n > accum_bits)
> + {
> + accum = accum + ((unsigned char) *source << accum_bits);
> + accum_bits += HOST_CHAR_BIT;
> + source += 1;
> + }
> chunk_size = HOST_CHAR_BIT - targ_offset;
> if (chunk_size > n)
> chunk_size = n;
> --
> 2.17.1
--
Joel
next prev parent reply other threads:[~2018-11-01 15:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-24 16:21 Tom Tromey
2018-11-01 15:35 ` Joel Brobecker [this message]
2018-11-01 22:16 ` Tom Tromey
2018-11-08 19:11 ` Pedro Alves
2018-11-08 19:12 ` Pedro Alves
2018-11-09 17:16 ` Joel Brobecker
2018-11-14 17:11 ` Joel Brobecker
2018-11-14 17:23 ` Pedro Alves
2018-11-14 23:17 ` Joel Brobecker
2018-11-15 0:02 ` [RFA] Move copy_bitwise unittests to own unittest file (was: "Re: [PATCH] Fix buffer overflow in ada-lang.c:move_bits") Joel Brobecker
2018-11-15 10:59 ` [RFA] Move copy_bitwise unittests to own unittest file Pedro Alves
2018-11-15 15:56 ` pushed: " Joel Brobecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181101153517.GA2705@adacore.com \
--to=brobecker@adacore.com \
--cc=gdb-patches@sourceware.org \
--cc=tom@tromey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox