diff options
author | Yao Qi <yao.qi@linaro.org> | 2017-02-27 17:27:17 +0000 |
---|---|---|
committer | Yao Qi <yao.qi@linaro.org> | 2017-02-27 17:27:17 +0000 |
commit | 2123df0ebfc7ade46784ef412226490d59f8ce05 (patch) | |
tree | add2217f970c6e60977e7b7ffc6f5b493b880e13 | |
parent | fbf25dfdfdba2c057e7ccdae4e0d6a2139c66dd5 (diff) | |
download | binutils-2123df0ebfc7ade46784ef412226490d59f8ce05.zip binutils-2123df0ebfc7ade46784ef412226490d59f8ce05.tar.gz binutils-2123df0ebfc7ade46784ef412226490d59f8ce05.tar.bz2 |
Fix array out of bound access
ASAN reports the following error,
(gdb) PASS: gdb.fortran/vla-ptr-info.exp: continue to breakpoint: pvla-associated
print &pvla^M
=================================================================^M
^[[1m^[[31m==14331==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000ea569f at pc 0x0000008eb546 bp 0x7ffde0c1dc70 sp 0x7ffde0c1dc60^M
^[[1m^[[0m^[[1m^[[34mREAD of size 1 at 0x000000ea569f thread T0^[[1m^[[0m^M
#0 0x8eb545 in f_print_type(type*, char const*, ui_file*, int, int, type_print_options const*) ../../binutils-gdb/gdb/f-typeprint.c:89^M
#1 0xb611e2 in type_print(type*, char const*, ui_file*, int) ../../binutils-gdb/gdb/typeprint.c:365^M
#2 0x7b3471 in c_value_print(value*, ui_file*, value_print_options const*) ../../binutils-gdb/gdb/c-valprint.c:650^M
#3 0xb99517 in value_print(value*, ui_file*, value_print_options const*) ../../binutils-gdb/gdb/valprint.c:1233^M
#4 0xa42be8 in print_formatted ../../binutils-gdb/gdb/printcmd.c:321^M
#5 0xa46ac9 in print_value(value*, format_data const*) ../../binutils-gdb/gdb/printcmd.c:1233^M
#6 0xa46d82 in print_command_1 ../../binutils-gdb/gdb/printcmd.c:1261^M
#7 0xa46e3e in print_command ../../binutils-gdb/gdb/printcmd.c:1267
on this line of code
demangled_args = varstring[strlen (varstring) - 1] == ')';
because varstring is an empty string and strlen () is 0, so "strlen () - 1"
is definitely out of the bound of "varstring",
(gdb) bt 10
at /home/yao/SourceCode/gnu/gdb/git/gdb/f-typeprint.c:56
at /home/yao/SourceCode/gnu/gdb/git/gdb/typeprint.c:365
at /home/yao/SourceCode/gnu/gdb/git/gdb/c-valprint.c:650
at /home/yao/SourceCode/gnu/gdb/git/gdb/valprint.c:1236
This patch adds a pre-check that varstring is empty or not.
gdb:
2017-02-27 Yao Qi <yao.qi@linaro.org>
* f-typeprint.c (f_print_type): Check "varstring" is empty first.
-rw-r--r-- | gdb/ChangeLog | 4 | ||||
-rw-r--r-- | gdb/f-typeprint.c | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/gdb/ChangeLog b/gdb/ChangeLog index c9fdd66..a7be826 100644 --- a/gdb/ChangeLog +++ b/gdb/ChangeLog @@ -1,3 +1,7 @@ +2017-02-27 Yao Qi <yao.qi@linaro.org> + + * f-typeprint.c (f_print_type): Check "varstring" is empty first. + 2017-02-26 Alan Hayward <alan.hayward@arm.com> * regcache.c (regcache_raw_update): New function. diff --git a/gdb/f-typeprint.c b/gdb/f-typeprint.c index da6ef4f..7dbe093 100644 --- a/gdb/f-typeprint.c +++ b/gdb/f-typeprint.c @@ -52,7 +52,6 @@ f_print_type (struct type *type, const char *varstring, struct ui_file *stream, int show, int level, const struct type_print_options *flags) { enum type_code code; - int demangled_args; if (type_not_associated (type)) { @@ -81,12 +80,15 @@ f_print_type (struct type *type, const char *varstring, struct ui_file *stream, if (varstring != NULL) { + int demangled_args; + fputs_filtered (varstring, stream); /* For demangled function names, we have the arglist as part of the name, so don't print an additional pair of ()'s. */ - demangled_args = varstring[strlen (varstring) - 1] == ')'; + demangled_args = (*varstring != '\0' + && varstring[strlen (varstring) - 1] == ')'); f_type_print_varspec_suffix (type, stream, show, 0, demangled_args, 0); } } |