diff options
| author | Tom de Vries <tdevries@suse.de> | 2020-12-04 22:35:07 +0100 |
|---|---|---|
| committer | Tom de Vries <tdevries@suse.de> | 2020-12-04 22:35:07 +0100 |
| commit | aafdfb4eddc3c58be24fe50a1e6543a4b9c8cbac (patch) | |
| tree | 7ca5bc0b0d75ede51c6dd908626c652d4d29c88a /gdb/jit.h | |
| parent | f99b517750fd5ab392056fcc8868fc15641ec502 (diff) | |
| download | gdb-aafdfb4eddc3c58be24fe50a1e6543a4b9c8cbac.zip gdb-aafdfb4eddc3c58be24fe50a1e6543a4b9c8cbac.tar.gz gdb-aafdfb4eddc3c58be24fe50a1e6543a4b9c8cbac.tar.bz2 | |
[gdb] Fix heap-buffer-overflow in completion_tracker::build_completion_result
When building gdb with address sanitizer and running test-case
gdb.base/completion.exp, we run into:
...
==5743==ERROR: AddressSanitizer: heap-buffer-overflow on address \
0x60200025c02f at pc 0x000000cd9d64 bp 0x7fff3297da30 sp 0x7fff3297da28
READ of size 1 at 0x60200025c02f thread T0
#0 0xcd9d63 in completion_tracker::build_completion_result(char const*, \
int, int) gdb/completer.c:2258
...
0x60200025c02f is located 1 bytes to the left of 1-byte region \
[0x60200025c030,0x60200025c031)
...
This can be reproduced using just:
...
$ gdb
(gdb) p/d[TAB]
...
The problem is in this code in completion_tracker::build_completion_result:
...
bool completion_suppress_append
= (suppress_append_ws ()
|| match_list[0][strlen (match_list[0]) - 1] == ' ');
...
If strlen (match_list[0]) == 0, then we access match_list[0][-1].
Fix this by testing if the memory access is in bounds before doing the memory
access.
Tested on x86_64-linux.
gdb/ChangeLog:
2020-12-04 Tom de Vries <tdevries@suse.de>
PR gdb/27003
* completer.c (completion_tracker::build_completion_result): Don't
access match_list[0][-1].
Diffstat (limited to 'gdb/jit.h')
0 files changed, 0 insertions, 0 deletions