Re: [Bug-readline] heap-buffer-overflow in update_line

[Tom de Vries <tdevries@suse.de>]

On 16-05-19 22:50, Chet Ramey wrote:
> On 5/8/19 4:10 PM, Tom de Vries wrote:
>> Hi,
>>
>> when:
>> - building trunk gdb (using the readline sources in the binutils-gdb.git
>>   repo) on openSUSE 15.0 x86_64-linux with -fsanitize=address, and:
>> - running gdb tests with "export ASAN_OPTIONS=detect_leaks=0",
>> I run into a heap-buffer-overflow failure for
>> gdb.base/utf8-identifiers.exp, reported as PR gdb/24514 -
>> "heap-buffer-overflow in update_line for utf8-identifiers.exp"  at
>> https://sourceware.org/bugzilla/show_bug.cgi?id=24514 .
> 
> 			[...]
> 
>> which triggers without needing the address sanitizer, like this:
>> ...
>> $ TERM=dumb gdb -q -ex "set width 0"
>> gdb: /home/vries/readline/src/display.c:1393: rl_redisplay: Assertion
>> `last_lmargin + (_rl_screenwidth + visible_wrap_offset) <= line_size'
>> failed.
>> Aborted (core dumped)
> 
> This looks like the same problem as described in
> 
> http://lists.gnu.org/archive/html/bug-readline/2019-03/msg00001.html
> 
> In this case, gdb sets the screen width to 32766, which is obviously
> bonkers on a dumb terminal. Gdb should pass -1 to rl_set_screen_size
> so readline doesn't override the number of columns on the physical
> terminal.
> 

I've tried this:
...
diff --git a/gdb/utils.c b/gdb/utils.c
index 9686927473..2bfa22055e 100644
--- a/gdb/utils.c
+++ b/gdb/utils.c
@@ -1371,7 +1371,7 @@ set_screen_size (void)

   if (cols <= 0 || cols > sqrt_int_max)
     {
-      cols = sqrt_int_max;
+      cols = -1;
       chars_per_line = UINT_MAX;
     }
...
but ran into this test failure in gdb.ada/pp-rec-component.exp:
...
(gdb) source
/data/gdb_versions/devel/build/gdb/testsuite/outputs/gdb.ada/pp^M<sions/devel/build/gdb/testsuite/outputs/gdb.ada/pp-

^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^Hrec-component/pp-rec-com
^M<tsuite/outputs/gdb.ada/pp-rec-component/pp-rec-comp
      ^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^Honent.py^M
(gdb) FAIL: gdb.ada/pp-rec-component.exp: source pp-rec-component.py
...
which is readline doing it's horizontal scrolling mode, which AFAIU is
triggered by this condition in rl_redisplay failing:
...
  if (_rl_horizontal_scroll_mode == 0 && _rl_term_up && *_rl_term_up)
...
not because _rl_horizontal_scroll_mode is 1, but because _rl_term_up is
NULL (because of TERM=dumb).

Note btw that ^H is used here by readline despite the fact that
TERM=dumb does not support backspace. I'm not sure if this is a bug, or
intentional behaviour.

Either way, I'm open for suggestions that make gdb call
rl_set_screen_size with legal parameters, and disable features like
horizontal scrolling to get unformatted output for the testsuite run.

Thanks,
- Tom