diff options
author | Yao Qi <yao.qi@linaro.org> | 2016-08-11 17:04:11 +0100 |
---|---|---|
committer | Yao Qi <yao.qi@linaro.org> | 2016-08-19 14:20:01 +0100 |
commit | bbfa2517ded26c1ba9e1af37671565a1a5e6bbc6 (patch) | |
tree | 762e1b72f445eb3b2b40ffc2ba68531ae832caa3 /gdb/completer.c | |
parent | 873f10f02f5959ce9b74cc5b599f5006147de940 (diff) | |
download | gdb-bbfa2517ded26c1ba9e1af37671565a1a5e6bbc6.zip gdb-bbfa2517ded26c1ba9e1af37671565a1a5e6bbc6.tar.gz gdb-bbfa2517ded26c1ba9e1af37671565a1a5e6bbc6.tar.bz2 |
null-terminate string in linespec_location_completer
If I build gdb with -fsanitize=address and run tests, I get error,
malformed linespec error: unexpected colon^M
(gdb) PASS: gdb.linespec/ls-errs.exp: lang=C: break :
break :=================================================================^M
==3266==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000051451 at pc 0x2b5797a972a8 bp 0x7fffd8e0f3c0 sp 0x7fffd8e0f398^M
READ of size 2 at 0x602000051451 thread T0
#0 0x2b5797a972a7 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x322a7)^M
#1 0x7bd004 in compare_filenames_for_search(char const*, char const*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:316^M
#2 0x7bd310 in iterate_over_some_symtabs(char const*, char const*, int (*)(symtab*, void*), void*, compunit_symtab*, compunit_symtab*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:411^M
#3 0x7bd775 in iterate_over_symtabs(char const*, int (*)(symtab*, void*), void*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:481^M
#4 0x7bda15 in lookup_symtab(char const*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:527^M
#5 0x7d5e2a in make_file_symbol_completion_list_1 /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:5635^M
#6 0x7d61e1 in make_file_symbol_completion_list(char const*, char const*, char const*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:5684^M
#7 0x88dc06 in linespec_location_completer /home/yao/SourceCode/gnu/gdb/git/gdb/completer.c:288
....
0x602000051451 is located 0 bytes to the right of 1-byte region [0x602000051450,0x602000051451)^M
mallocated by thread T0 here:
#0 0x2b5797ab97ef in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547ef)^M
#1 0xbbfb8d in xmalloc /home/yao/SourceCode/gnu/gdb/git/gdb/common/common-utils.c:43^M
#2 0x88dabd in linespec_location_completer /home/yao/SourceCode/gnu/gdb/git/gdb/completer.c:273^M
#3 0x88e5ef in location_completer(cmd_list_element*, char const*, char const*) /home/yao/SourceCode/gnu/gdb/git/gdb/completer.c:531^M
#4 0x8902e7 in complete_line_internal /home/yao/SourceCode/gnu/gdb/git/gdb/completer.c:964^
The code in question is here
file_to_match = (char *) xmalloc (colon - text + 1);
strncpy (file_to_match, text, colon - text + 1);
it is likely that file_to_match is not null-terminated. The patch is
to strncpy 'colon - text' bytes and explicitly set '\0'.
gdb:
2016-08-19 Yao Qi <yao.qi@linaro.org>
* completer.c (linespec_location_completer): Make file_to_match
null-terminated.
Diffstat (limited to 'gdb/completer.c')
-rw-r--r-- | gdb/completer.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/gdb/completer.c b/gdb/completer.c index 5c3b3fc..d0e6bc8 100644 --- a/gdb/completer.c +++ b/gdb/completer.c @@ -264,7 +264,8 @@ linespec_location_completer (struct cmd_list_element *ignore, char *s; file_to_match = (char *) xmalloc (colon - text + 1); - strncpy (file_to_match, text, colon - text + 1); + strncpy (file_to_match, text, colon - text); + file_to_match[colon - text] = '\0'; /* Remove trailing colons and quotes from the file name. */ for (s = file_to_match + (colon - text); s > file_to_match; |