[patch] buffer overflow in symtab_from_filename

[patch] buffer overflow in symtab_from_filename

[Aleksandar Ristovski]

[-- Attachment #1: Type: text/plain, Size: 372 bytes --]

Hello,

There is an issue in symtab_from_filename function, it may buffer 
overflow by advancing past the end of the string.

The patch makes sure we do not advance past zero terminator.

Thanks,

Aleksandar Ristovski
QNX Software Systems


ChangeLog:
Aleksandar Ristovski <aristovski@qnx.com>

         * linespec.c (symtab_from_filename): Check for the end of string.



[-- Attachment #2: linespec-201108251155.patch --]
[-- Type: text/x-patch, Size: 507 bytes --]

Index: gdb/linespec.c
===================================================================
RCS file: /cvs/src/src/gdb/linespec.c,v
retrieving revision 1.129
diff -u -p -r1.129 linespec.c
--- gdb/linespec.c	18 Aug 2011 16:17:38 -0000	1.129
+++ gdb/linespec.c	25 Aug 2011 15:55:21 -0000
@@ -1835,6 +1835,8 @@ symtab_from_filename (char **argptr, cha
     }
 
   /* Discard the file name from the arg.  */
+  if (*p1 == '\0')
+    return file_symtab;
   p = p1 + 1;
   while (*p == ' ' || *p == '\t')
     p++;

Re: [patch] buffer overflow in symtab_from_filename

[Tom Tromey]

>>>>> "Aleksandar" == Aleksandar Ristovski <aristovski@qnx.com> writes:

Aleksandar> Aleksandar Ristovski <aristovski@qnx.com>
Aleksandar>         * linespec.c (symtab_from_filename): Check for the end of string.

What is the test case for this?

Tom

Re: [patch] buffer overflow in symtab_from_filename

[Aleksandar Ristovski]

On 11-08-25 01:33 PM, Tom Tromey wrote:
>>>>>> "Aleksandar" == Aleksandar Ristovski<aristovski@qnx.com>  writes:
>
> Aleksandar>  Aleksandar Ristovski<aristovski@qnx.com>
> Aleksandar>          * linespec.c (symtab_from_filename): Check for the end of string.
>
> What is the test case for this?

I didn't make one - I run into the issue while doing something else.

In my case, I would get it by command "b main": on entry to 
symtab_from_filename (called from decode_line_1, ln 879), argptr points 
to a pointer to argument passed to 'break' command; p (argument value on 
entry) points to the end of the string ('\0'). Then this value is 
assigned to p1.

lookup_symtab returns a symtab and code then goes on with incrementing 
p1 by one, making it point past the end of the string. After this point 
it is unpredictable what would happen, but what happened in my case, 
*argptr gets garbled (pointing to garbage past the end of the argument).

I think it is obvious enough to not warrant a separate test case?

Re: [patch] buffer overflow in symtab_from_filename

[Tom Tromey]

Aleksandar> In my case, I would get it by command "b main": on entry to
Aleksandar> symtab_from_filename (called from decode_line_1, ln 879),
Aleksandar> argptr points to a pointer to argument passed to 'break'
Aleksandar> command; p (argument value on entry) points to the end of
Aleksandar> the string ('\0'). Then this value is assigned to p1.

I would have thought that lookup_symtab would return NULL here, causing
the throw_error branch to be taken.

I guess it could happen with 'break main.c'.

Aleksandar> I think it is obvious enough to not warrant a separate test case?

I agree.

Patch is ok, please commit.

Tom

Re: [patch] buffer overflow in symtab_from_filename

[Aleksandar Ristovski]

On 11-08-25 02:12 PM, Tom Tromey wrote:
...
>
> Patch is ok, please commit.

Committed, thank you.