From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7181 invoked by alias); 28 Feb 2011 18:00:36 -0000 Received: (qmail 7171 invoked by uid 22791); 28 Feb 2011 18:00:35 -0000 X-SWARE-Spam-Status: No, hits=-5.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,TW_BJ,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from smtp-outbound-1.vmware.com (HELO smtp-outbound-1.vmware.com) (65.115.85.69) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 28 Feb 2011 18:00:31 +0000 Received: from mailhost2.vmware.com (mailhost2.vmware.com [10.16.67.167]) by smtp-outbound-1.vmware.com (Postfix) with ESMTP id 1092429004; Mon, 28 Feb 2011 10:00:30 -0800 (PST) Received: from msnyder-server.eng.vmware.com (promd-2s-dhcp138.eng.vmware.com [10.20.124.138]) by mailhost2.vmware.com (Postfix) with ESMTP id 084098ED91; Mon, 28 Feb 2011 10:00:30 -0800 (PST) Message-ID: <4D6BE2BD.4070608@vmware.com> Date: Mon, 28 Feb 2011 18:02:00 -0000 From: Michael Snyder User-Agent: Thunderbird 2.0.0.24 (X11/20101201) MIME-Version: 1.0 To: Jan Kratochvil CC: "gdb-patches@sourceware.org" Subject: Re: [commit] objc-lang.c: avoid string overrun References: <4D6B0553.6010803@vmware.com> <20110228045034.GB12861@host1.dyn.jankratochvil.net> In-Reply-To: <20110228045034.GB12861@host1.dyn.jankratochvil.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2011-02/txt/msg00918.txt.bz2 Jan Kratochvil wrote: > Hi Michael, > > On Mon, 28 Feb 2011 03:15:47 +0100, Michael Snyder wrote: >> --- objc-lang.c 10 Jan 2011 20:38:49 -0000 1.91 >> +++ objc-lang.c 28 Feb 2011 02:13:37 -0000 > char myregexp[2048]; >> @@ -720,7 +720,7 @@ selectors_info (char *regexp, int from_t >> strcpy(myregexp, ".*]"); >> else >> { >> - strcpy(myregexp, regexp); >> + strncpy(myregexp, regexp, sizeof (myregexp) - 1); >> if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */ >> myregexp[strlen(myregexp) - 1] = ']'; /* end of method name */ >> else > > I agree it fixes a bug. But still if the limit applies then the immediately > following strlen will read uninitialized memory myregexp[2047]. > > Do you agree with this fix instead? > > (Yes, the code should be completely different but we fix only bugs now.) OK, please apply. > gdb/ > 2011-02-28 Jan Kratochvil > > * objc-lang.c (selectors_info): Error on too long REGEXP. > > --- a/gdb/objc-lang.c > +++ b/gdb/objc-lang.c > @@ -720,7 +720,9 @@ selectors_info (char *regexp, int from_tty) > strcpy(myregexp, ".*]"); > else > { > - strncpy(myregexp, regexp, sizeof (myregexp) - 1); > + if (sizeof (myregexp) < strlen (regexp) + 1) > + error (_("Regexp is too long: %s"), regexp); > + strcpy(myregexp, regexp); > if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */ > myregexp[strlen(myregexp) - 1] = ']'; /* end of method name */ > else