From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id TwOlKCguWWkWKigAWB0awg (envelope-from ) for ; Sat, 03 Jan 2026 09:56:40 -0500 Authentication-Results: simark.ca; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=QJa9Wj+S; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=I/R0ZT2W; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=vPhUDhzB; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=RQQxq2h5; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 967E51E0B6; Sat, 03 Jan 2026 09:56:40 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED autolearn=ham autolearn_force=no version=4.0.1 Received: from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id B0C9F1E08D for ; Sat, 03 Jan 2026 09:56:38 -0500 (EST) Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id 3A27F4BA2E1C for ; Sat, 3 Jan 2026 14:56:32 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3A27F4BA2E1C Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=QJa9Wj+S; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=I/R0ZT2W; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=vPhUDhzB; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=RQQxq2h5 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) by sourceware.org (Postfix) with ESMTPS id E69874BA2E04 for ; Sat, 3 Jan 2026 14:56:01 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E69874BA2E04 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.de ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E69874BA2E04 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767452162; cv=none; b=nf+f1E/6yCein9BwRKtcSGsLh3wxqi20WhNA50zf2t1ZpevbMZE6z2xPLld6RNVFlXzJ9yD5NqMN4Zczno+Bo56+6h66iGYZYkkIE4uC4mwzxnDgB3jckQ+s3jKz3I/ME/nGE2AzCtcaLxLmY/ZPRPISH50kFlPmL+TbDu/tvoQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767452162; c=relaxed/simple; bh=rdZeWDJdYAPp4JmJ7Asg5B6Vj4NfLqDNDbZkcG4EyD0=; h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature:From: To:Subject:Date:Message-ID:MIME-Version; b=gobsNol1GG6B4KLZbkt70SNPZLq8ZC1K+zjIxIPyKPhk8MbktHRBH5M4gUr/47zxq2op57CIvXjtvdMxHNpNPra4bH+90D1Q5V2Zed3JEVqW5fAGon2SYDY1JOfcXiaVFi5pwuqIVwdxwbE836+yyHwVL7p4kk2dDVDJZuL4mzk= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E69874BA2E04 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id D5DA25BCC2 for ; Sat, 3 Jan 2026 14:55:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1767452160; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0ANK8ksAMjPMjNVeGM1oJrizuPNeh1b7MhbC9mesE5I=; b=QJa9Wj+S2lQKk4QPXUyl7qZ3dhkbY9Z/LFaIuRmM5dPSyUfa091kuYOaVYkkuoJkqxefLe gMmxh71aMpSKWLERG0mB79Dh4J4aHhrTpwaeh9sDqdtJyEGOjdBlxSpFgQFuvuGVpnGpJI rFw+e4K2Zgl97IyDt8Lbn30Wc73weIw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1767452160; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0ANK8ksAMjPMjNVeGM1oJrizuPNeh1b7MhbC9mesE5I=; b=I/R0ZT2W2mI+0dssTJM2rf/Ib+SjtVGO4xNHX43KS6XGQwfIlO6S3EM2A4PWEW/DHEk8lP xZ0TacIH3yD6GNDA== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1767452159; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0ANK8ksAMjPMjNVeGM1oJrizuPNeh1b7MhbC9mesE5I=; b=vPhUDhzBc00rgvQaCY0zK69atjYJE8fSBw/bgr9wV+vX9vXFypU9MlbmH0IdRkjCRm8ynr H89EWBpv6svihNPabj9rbBphyKXVoW+u/ir8Szn9DASVbBUL4Iq3gfAITUufDykIVEBJ+O +tEV8GKk5S4XZf7kztG6cSWSa592Gj4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1767452159; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0ANK8ksAMjPMjNVeGM1oJrizuPNeh1b7MhbC9mesE5I=; b=RQQxq2h5/rXCd92h8Y0b867LC324X6+btlZta8vTBw7wthFlG4HM0heywBXeb5hdVur2zD Ns8h1PXZXQ4u/YBw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B9FAF3EA63 for ; Sat, 3 Jan 2026 14:55:59 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id PHqKK/8tWWmNbwAAD6G6ig (envelope-from ) for ; Sat, 03 Jan 2026 14:55:59 +0000 From: Tom de Vries To: gdb-patches@sourceware.org Subject: [PATCH] [gdb] Fix heap-buffer-overflow in args_complete_p Date: Sat, 3 Jan 2026 15:55:59 +0100 Message-ID: <20260103145559.2722584-1-tdevries@suse.de> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-2.78 / 50.00]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.18)[-0.882]; MIME_GOOD(-0.10)[text/plain]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DBL_BLOCKED_OPENRESOLVER(0.00)[sourceware.org:url]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[gdb-patches@sourceware.org]; RCVD_TLS_ALL(0.00)[] X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces~public-inbox=simark.ca@sourceware.org PR gdb/33754 reports a heap-buffer-overflow here in args_complete_p: ... while (*input != '\0') ... Fix this by introducing a lambda function at that safely handles all char array accesses. Also: - factor out char array accesses using new variables c and next_c, and - check for end-of-string after skip_spaces. Tested on x86_64-linux. Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33754 --- gdb/infcmd.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/gdb/infcmd.c b/gdb/infcmd.c index 875bbe1ee69..ceacfd05683 100644 --- a/gdb/infcmd.c +++ b/gdb/infcmd.c @@ -126,17 +126,27 @@ static bool args_complete_p (const std::string &args) { const char *input = args.c_str (); + const char *end = input + args.length (); bool squote = false, dquote = false; - while (*input != '\0') + auto at = [&] (const char *s) + { + return s > end ? '\0' : *s; + }; + + while (at (input) != '\0') { input = skip_spaces (input); + char c = at (input); + if (c == '\0') + break; + char next_c = at (input + 1); if (squote) { /* Inside a single quoted argument, look for the closing single quote. */ - if (*input == '\'') + if (c == '\'') squote = false; } else if (dquote) @@ -148,10 +158,10 @@ args_complete_p (const std::string &args) and we don't skip the entire '\\' then we'll only skip the first '\', in which case we might see the second '\' as a '\"' sequence, which would be wrong. */ - if (*input == '\\' && strchr ("\"\\", *(input + 1)) != nullptr) + if (c == '\\' && strchr ("\"\\", next_c) != nullptr) ++input; /* Otherwise, just look for the closing double quote. */ - else if (*input == '"') + else if (c == '"') dquote = false; } else @@ -162,7 +172,7 @@ args_complete_p (const std::string &args) a quoted argument. The '\\' we need to skip so we don't just skip the first '\' and then incorrectly consider the second '\' are part of a '\"' or '\'' sequence. */ - if (*input == '\\' && strchr ("\"\\'", *(input + 1)) != nullptr) + if (c == '\\' && strchr ("\"\\'", next_c) != nullptr) ++input; /* Otherwise, check for the start of a single or double quoted argument. Single quotes have no special meaning on Windows @@ -170,10 +180,10 @@ args_complete_p (const std::string &args) host to determine what is, or isn't a special character, when really, this is a function of the target. */ #ifndef _WIN32 - else if (*input == '\'') + else if (c == '\'') squote = true; #endif - else if (*input == '"') + else if (c == '"') dquote = true; } base-commit: 0a153c58a0ab68c6fa349d2ad0bf6a42e043ab23 -- 2.51.0