From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gateway21.websitewelcome.com (gateway21.websitewelcome.com [192.185.45.228]) by sourceware.org (Postfix) with ESMTPS id 77A69385DC0A for ; Fri, 5 Jun 2020 18:37:14 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 77A69385DC0A Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=tromey.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=tom@tromey.com Received: from cm14.websitewelcome.com (cm14.websitewelcome.com [100.42.49.7]) by gateway21.websitewelcome.com (Postfix) with ESMTP id CC117401DC1F4 for ; Fri, 5 Jun 2020 13:37:13 -0500 (CDT) Received: from box5379.bluehost.com ([162.241.216.53]) by cmsmtp with SMTP id hHDNjGHb8XVkQhHDNjH3d0; Fri, 05 Jun 2020 13:37:13 -0500 X-Authority-Reason: nr=8 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tromey.com; s=default; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mIVpO6K9Gk2XBTeO93kv9hE5HwFqnMZ7Xhpa8DgjwwY=; b=MXsaDFmdbSmGxxLe6BpjgrHJOv ASUH8hf3V9oaG3C0kr8Q843rJidqA3oPRr28Mas1AispW6Few5wWhbRvS+5G1saGTylDuVws0leFj Bhi5sL/iFQ59CpYkOWlRjTHX5; Received: from 174-16-104-48.hlrn.qwest.net ([174.16.104.48]:53122 helo=murgatroyd) by box5379.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from ) id 1jhHDN-001jV9-F5; Fri, 05 Jun 2020 12:37:13 -0600 From: Tom Tromey To: Andrew Burgess Cc: gdb-patches@sourceware.org Subject: Re: [PUSHED] gdb/python: Avoid use after free in py-tui.c References: <20200605182337.981585-1-andrew.burgess@embecosm.com> X-Attribution: Tom Date: Fri, 05 Jun 2020 12:37:12 -0600 In-Reply-To: <20200605182337.981585-1-andrew.burgess@embecosm.com> (Andrew Burgess's message of "Fri, 5 Jun 2020 19:23:37 +0100") Message-ID: <87v9k5gy07.fsf@tromey.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - box5379.bluehost.com X-AntiAbuse: Original Domain - sourceware.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - tromey.com X-BWhitelist: no X-Source-IP: 174.16.104.48 X-Source-L: No X-Exim-ID: 1jhHDN-001jV9-F5 X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: 174-16-104-48.hlrn.qwest.net (murgatroyd) [174.16.104.48]:53122 X-Source-Auth: tom+tromey.com X-Email-Count: 2 X-Source-Cap: ZWx5bnJvYmk7ZWx5bnJvYmk7Ym94NTM3OS5ibHVlaG9zdC5jb20= X-Local-Domain: yes X-Spam-Status: No, score=3.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, JMQ_SPF_NEUTRAL, RCVD_IN_ABUSEAT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, RCVD_IN_SBL_CSS, SPF_HELO_PASS, SPF_NEUTRAL, TXREP, URIBL_CSS, URIBL_CSS_A autolearn=no autolearn_force=no version=3.4.2 X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2020 18:37:16 -0000 >>>>> "Andrew" == Andrew Burgess writes: Andrew> When setting the window title of a tui frame we do this: Andrew> gdb::unique_xmalloc_ptr value Andrew> = python_string_to_host_string (); Andrew> ... Andrew> win-> window->title = value.get (); Andrew> The problem here is that 'get ()' only borrows the pointer from value, Andrew> when value goes out of scope the pointer will be freed. As a result, Andrew> the tui frame will be left with a pointer to undefined memory Andrew> contents. This does not make sense to me, because tui_win_info::title is a std::string. Andrew> Instead we should be using 'value.release ()' to take ownership of the Andrew> pointer from value. I suspect this introduces a memory leak instead. Tom