From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-83209-listarch-gdb-patches=sources.redhat.com@sourceware.org>
Received: (qmail 21521 invoked by alias); 25 Aug 2011 17:46:38 -0000
Received: (qmail 21513 invoked by uid 22791); 25 Aug 2011 17:46:38 -0000
X-SWARE-Spam-Status: No, hits=-1.7 required=5.0	tests=AWL,BAYES_00,RCVD_NUMERIC_HELO,RP_MATCHES_RCVD,SPF_HELO_PASS,TW_GP
X-Spam-Check-By: sourceware.org
Received: from lo.gmane.org (HELO lo.gmane.org) (80.91.229.12)    by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Thu, 25 Aug 2011 17:46:24 +0000
Received: from list by lo.gmane.org with local (Exim 4.69)	(envelope-from <gdb-gdb-patches@m.gmane.org>)	id 1Qwe0U-0006ip-1C	for gdb-patches@sources.redhat.com; Thu, 25 Aug 2011 19:46:22 +0200
Received: from 209.226.137.108 ([209.226.137.108])        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))        id 1AlnuQ-0007hv-00        for <gdb-patches@sources.redhat.com>; Thu, 25 Aug 2011 19:46:22 +0200
Received: from aristovski by 209.226.137.108 with local (Gmexim 0.1 (Debian))        id 1AlnuQ-0007hv-00        for <gdb-patches@sources.redhat.com>; Thu, 25 Aug 2011 19:46:22 +0200
To: gdb-patches@sources.redhat.com
From: Aleksandar Ristovski <aristovski@qnx.com>
Subject: Re: [patch] buffer overflow in symtab_from_filename
Date: Thu, 25 Aug 2011 17:46:00 -0000
Message-ID: <j361p2$bt$1@dough.gmane.org>
References: <j35rrb$m07$1@dough.gmane.org> <m3vctl2y6d.fsf@fleche.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110812 Thunderbird/6.0
In-Reply-To: <m3vctl2y6d.fsf@fleche.redhat.com>
X-IsSubscribed: yes
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
X-SW-Source: 2011-08/txt/msg00469.txt.bz2

On 11-08-25 01:33 PM, Tom Tromey wrote:
>>>>>> "Aleksandar" == Aleksandar Ristovski<aristovski@qnx.com>  writes:
>
> Aleksandar>  Aleksandar Ristovski<aristovski@qnx.com>
> Aleksandar>          * linespec.c (symtab_from_filename): Check for the end of string.
>
> What is the test case for this?

I didn't make one - I run into the issue while doing something else.

In my case, I would get it by command "b main": on entry to 
symtab_from_filename (called from decode_line_1, ln 879), argptr points 
to a pointer to argument passed to 'break' command; p (argument value on 
entry) points to the end of the string ('\0'). Then this value is 
assigned to p1.

lookup_symtab returns a symtab and code then goes on with incrementing 
p1 by one, making it point past the end of the string. After this point 
it is unpredictable what would happen, but what happened in my case, 
*argptr gets garbled (pointing to garbage past the end of the argument).

I think it is obvious enough to not warrant a separate test case?