diff options
| author | Andrew Burgess <andrew.burgess@embecosm.com> | 2020-06-05 18:13:09 +0100 |
|---|---|---|
| committer | Andrew Burgess <andrew.burgess@embecosm.com> | 2020-06-05 19:21:20 +0100 |
| commit | 982a38f60b0ece9385556cff45567e06710478cb (patch) | |
| tree | fa4c253cc30c00311580da894a7d797ccf918c42 | |
| parent | f1919c56e1ffce63c5dbd60c9b29c492be9d0787 (diff) | |
| download | gdb-982a38f60b0ece9385556cff45567e06710478cb.zip gdb-982a38f60b0ece9385556cff45567e06710478cb.tar.gz gdb-982a38f60b0ece9385556cff45567e06710478cb.tar.bz2 | |
gdb/python: Avoid use after free in py-tui.c
When setting the window title of a tui frame we do this:
gdb::unique_xmalloc_ptr<char> value
= python_string_to_host_string (<python-object>);
...
win->window->title = value.get ();
The problem here is that 'get ()' only borrows the pointer from value,
when value goes out of scope the pointer will be freed. As a result,
the tui frame will be left with a pointer to undefined memory
contents.
Instead we should be using 'value.release ()' to take ownership of the
pointer from value.
gdb/ChangeLog:
* python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to
avoid use after free.
| -rw-r--r-- | gdb/ChangeLog | 5 | ||||
| -rw-r--r-- | gdb/python/py-tui.c | 2 |
2 files changed, 6 insertions, 1 deletions
diff --git a/gdb/ChangeLog b/gdb/ChangeLog index 4c3de11..1d486c4 100644 --- a/gdb/ChangeLog +++ b/gdb/ChangeLog @@ -1,3 +1,8 @@ +2020-06-05 Andrew Burgess <andrew.burgess@embecosm.com> + + * python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to + avoid use after free. + 2020-06-05 Tom de Vries <tdevries@suse.de> * NEWS: Fix typos. diff --git a/gdb/python/py-tui.c b/gdb/python/py-tui.c index ca88f85..f2c0339 100644 --- a/gdb/python/py-tui.c +++ b/gdb/python/py-tui.c @@ -433,7 +433,7 @@ gdbpy_tui_set_title (PyObject *self, PyObject *newvalue, void *closure) if (value == nullptr) return -1; - win->window->title = value.get (); + win->window->title = value.release (); return 0; } |