From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29750 invoked by alias); 3 Dec 2013 20:29:18 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 29741 invoked by uid 89); 3 Dec 2013 20:29:17 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.1 required=5.0 tests=AWL,BAYES_20,RDNS_NONE,SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2 X-HELO: mx1.redhat.com Received: from Unknown (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 03 Dec 2013 20:29:16 +0000 Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rB3KT6xl024723 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 3 Dec 2013 15:29:06 -0500 Received: from [127.0.0.1] (ovpn01.gateway.prod.ext.ams2.redhat.com [10.39.146.11]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id rB3KT4Tr020463; Tue, 3 Dec 2013 15:29:05 -0500 Message-ID: <529E3F10.6030607@redhat.com> Date: Tue, 03 Dec 2013 20:29:00 -0000 From: Pedro Alves User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7 MIME-Version: 1.0 To: Doug Evans CC: gdb-patches@sourceware.org, brobecker@adacore.com, saugustine@google.com Subject: Re: [PATCH] PR 16286: Reading python value as string beyond declared size References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SW-Source: 2013-12/txt/msg00104.txt.bz2 On 12/02/2013 11:14 PM, Doug Evans wrote: > + if (*length > 0) > + fetchlimit = UINT_MAX; Shouldn't this be: if (*length > 0) fetchlimit = *length; ? That is, if the caller specified a limit, why do we do over it? Couldn't this new check be merge above where we compute fetchlimit to begin with? With the comment there adjusted to something like: + /* If have an explicit requested length, use that as fetchlimit. + Otherwise, if we know the size of the array, we can use it as + a limit on the number of characters to be fetched. */ BTW, it looks like the not_lval/lval_internalvar path can blindly read beyond the value's contents buffer, if *length is bigger than the value's contents buffer size: /* If the string lives in GDB's memory instead of the inferior's, then we just need to copy it to BUFFER. Also, since such strings are arrays with known size, FETCHLIMIT will hold the size of the array. */ if ((VALUE_LVAL (value) == not_lval || VALUE_LVAL (value) == lval_internalvar) && fetchlimit != UINT_MAX) { int i; const gdb_byte *contents = value_contents (value); /* If a length is specified, use that. */ if (*length >= 0) i = *length; ^^^^^^^^^^^^^ else /* Otherwise, look for a null character. */ for (i = 0; i < fetchlimit; i++) if (extract_unsigned_integer (contents + i * width, width, byte_order) == 0) break; /* I is now either a user-defined length, the number of non-null characters, or FETCHLIMIT. */ *length = i * width; *buffer = xmalloc (*length); memcpy (*buffer, contents, *length); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- Pedro Alves