From mboxrd@z Thu Jan  1 00:00:00 1970
From: Fernando Nasser <fnasser@redhat.com>
To: Eirik Fuller <eirik@hackrat.com>
Cc: gdb-patches@sourceware.cygnus.com
Subject: Re: [patch] read_command_lines can return freed memory
Date: Fri, 15 Jun 2001 08:00:00 -0000
Message-id: <3B2A2258.639532FC@redhat.com>
References: <20010615080029.8484D40014@hackrat.com>
X-SW-Source: 2001-06/msg00289.html

Nice catch Eirik.  Thanks.

I guess this has gone unnoticed for so long because it only happens when
a control structure first line is invalid.  Anyway, we should think of a
more contrived example to create a test case...

W.r.t. the fix, I believe the missing pointer reset is in
free_command_lines().  I guess that was the creator's intention as the
argument implies that it will be modified (it is passed by reference).

Please try the attached patch.

Regards,
Fernando


Eirik Fuller wrote:
> 
> When sourcing a script file with improperly nested control statments,
> gdb can store a pointer to freed memory in a cmd_list_element struct,
> which can cause subsequent crashes.  One test case is to source this
> script file twice:
> 
> define  fp
>     set $frame = (long *) $arg0
>     while $frame[0] > $frame
>         printf "%08x: %08x %08x\n", $frame, $frame[0], $frame[1]
>         if $frame[1]
>             if ((uchar **)$frame)[1][-5] == 0xe8
>                 x/i $frame[1] - 5
>             else
>                 if ((uchar **)$frame)[1][-2] == 0xff
>                     x/i $frame[1] - 2
>                 else
>                     x/i $frame[1]
> #               end
>             end
>         else
>             x/i $frame[2]
>         end
>         set $frame = (long *) $frame[0]
>     end
> end
> 
> Removing the # results in a script file which can be sourced with no
> errors.  The patch included here prevents the crash.  Here's a
> ChangeLog entry:
> 
> 2001-06-15  Eirik Fuller  <eirik@hackrat.com>
> 
>         * cli/cli-script.c (read_command_lines): Don't return freed
>         memory.
> 
> Here's the patch:
> 
> --- gdb+dejagnu-20010615/gdb/cli/cli-script.c-  Tue Mar 13 14:29:14 2001
> +++ gdb+dejagnu-20010615/gdb/cli/cli-script.c   Thu Jun 14 22:53:17 2001
> @@ -995,7 +995,10 @@
>           discard_cleanups (old_chain);
>         }
>        else
> -       do_cleanups (old_chain);
> +       {
> +         do_cleanups (old_chain);
> +         head = NULL;
> +       }
>      }
> 
>    if (readline_end_hook)

-- 
Fernando Nasser
Red Hat Canada Ltd.                     E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9
Index: cli/cli-script.c
===================================================================
RCS file: /cvs/src/src/gdb/cli/cli-script.c,v
retrieving revision 1.6
diff -c -p -r1.6 cli-script.c
*** cli-script.c	2001/03/13 22:29:14	1.6
--- cli-script.c	2001/06/15 14:53:13
*************** free_command_lines (struct command_line 
*** 1028,1033 ****
--- 1028,1034 ----
        xfree (l);
        l = next;
      }
+   *lptr = NULL;
  }
  
  static void
>From ac131313@cygnus.com Fri Jun 15 08:15:00 2001
From: Andrew Cagney <ac131313@cygnus.com>
To: Joel Brobecker <brobecker@act-europe.fr>
Cc: gdb-patches@sources.redhat.com
Subject: Re: [RFA] Add 2 persons in MAINTAINERS
Date: Fri, 15 Jun 2001 08:15:00 -0000
Message-id: <3B2A1AA5.30607@cygnus.com>
References: <20010615093709.B10775@act-europe.fr>
X-SW-Source: 2001-06/msg00290.html
Content-length: 34

It's an obvious fix :-)

	Andrew