From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 6031 invoked by alias); 19 Mar 2015 22:58:02 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 6020 invoked by uid 89); 19 Mar 2015 22:58:02 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mail-oi0-f44.google.com Received: from mail-oi0-f44.google.com (HELO mail-oi0-f44.google.com) (209.85.218.44) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256 encrypted) ESMTPS; Thu, 19 Mar 2015 22:58:01 +0000 Received: by oier21 with SMTP id r21so77942408oie.1 for ; Thu, 19 Mar 2015 15:57:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=U0I5lF9oJnFoekQmL2ma00CRj8x/5qTzgQ7JfQWvh2c=; b=bm2Kai6Dt6ryeW0K9gLMD4xDcO8NJW2ER8IauDT34r4I0Yy/eK1G/Oa4uhDb3cv1jt 1us3O7x72LKJpacPqAeD4WqmtT6JX95ZLd+N2zzwUBv+puI8k+fVouohYPELW62tIUYL 58oMul7OHiOzKBB2akLIYwBqwnGK3mZMTX/9FfLBqP+ohJpbkkOR5K7Ra2okBPl14Yp0 rKIcLQDBQTHLMA/YcoA9BFrGLrjY+eFAg1kpeN0YN/qh/u+ENKUbiCfUZDWYiCaYeX6I Xht+BRc7GRyVojHTR1p48hsasypYnL8a+EjlwQO+P+6FWLUYV8FI/+DmLV/77tApgnNr 3WfA== X-Gm-Message-State: ALoCoQlSgIbNvbykDiX999YKSKs/x7QgUYmN6SZ+/kP9dGtvZ0e2cw5oGNPxSjKFqBT94a8vxStR MIME-Version: 1.0 X-Received: by 10.182.72.225 with SMTP id g1mr64041098obv.80.1426805878955; Thu, 19 Mar 2015 15:57:58 -0700 (PDT) Received: by 10.182.142.226 with HTTP; Thu, 19 Mar 2015 15:57:58 -0700 (PDT) In-Reply-To: <20150317103009.538f2b3d@kryten> References: <20150317103009.538f2b3d@kryten> Date: Thu, 19 Mar 2015 22:58:00 -0000 Message-ID: Subject: Re: [PATCH] TUI: Fix buffer overflow in tui_expand_tabs From: Doug Evans To: Anton Blanchard Cc: gdb-patches , Eli Zaretskii Content-Type: text/plain; charset=UTF-8 X-IsSubscribed: yes X-SW-Source: 2015-03/txt/msg00604.txt.bz2 On Mon, Mar 16, 2015 at 4:30 PM, Anton Blanchard wrote: > tui_expand_tabs writes past the end of the buffers it allocates > because we forget to zero out col. This results in us adding more > spaces than we need to get aligned, and we write past the end of the > allocated buffer. > > This was noticed on Ubuntu Vivid ppc64le, where gdb would SEGV when > using the TUI. > > 2015-03-17 Anton Blanchard > > gdb/ChangeLog: > * tui/tui-io.c (tui_expand_tabs): Zero col before reusing. > --- > gdb/ChangeLog | 4 ++++ > gdb/tui/tui-io.c | 2 +- > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/gdb/ChangeLog b/gdb/ChangeLog > index d984565..4e0177a 100644 > --- a/gdb/ChangeLog > +++ b/gdb/ChangeLog > @@ -1,3 +1,7 @@ > +2015-03-17 Anton Blanchard > + > + * tui/tui-io.c (tui_expand_tabs): Zero col before reusing. > + > 2015-03-16 John Baldwin > > * fbsd-tdep.c (fbsd_make_corefile_notes): Fetch all target registers > diff --git a/gdb/tui/tui-io.c b/gdb/tui/tui-io.c > index a8af9b6..02ae17d 100644 > --- a/gdb/tui/tui-io.c > +++ b/gdb/tui/tui-io.c > @@ -690,7 +690,7 @@ tui_expand_tabs (const char *string, int col) > ret = q = xmalloc (strlen (string) + n_adjust + 1); > > /* 2. Copy the original string while replacing TABs with spaces. */ > - for (s = string; s; ) > + for (col = 0, s = string; s; ) > { > char *s1 = strpbrk (s, "\t"); > if (s1) Hi. col needs to be reset to its original value on function entry, right? I suggest changing the code so that col is left unmodified, and use a new variable to track the advance of col in both loops.