aboutsummaryrefslogtreecommitdiff
path: root/gdb/tui/tui-disasm.c
diff options
context:
space:
mode:
authorAndreas Arnez <arnez@linux.vnet.ibm.com>2016-11-09 13:02:12 +0100
committerAndreas Arnez <arnez@linux.vnet.ibm.com>2016-11-09 13:02:12 +0100
commit0bb65f1e7c9eed7338ef2e4a2f5b42d010409c39 (patch)
treedf300a6c6d78608fa6701239cb2465321b10fa46 /gdb/tui/tui-disasm.c
parent82b19a4d2f9c9e8d56fdffdd702f7db4af486386 (diff)
downloadgdb-0bb65f1e7c9eed7338ef2e4a2f5b42d010409c39.zip
gdb-0bb65f1e7c9eed7338ef2e4a2f5b42d010409c39.tar.gz
gdb-0bb65f1e7c9eed7338ef2e4a2f5b42d010409c39.tar.bz2
tui-disasm: Fix window content buffer overrun
A user reported a GDB crash with TUI when trying to debug a function with a long demangled C++ method name. It turned out that the logic for displaying the TUI disassembly window has a bug that can cause a buffer overrun, possibly overwriting GDB-internal data structures. In particular, the logic performs an unguarded strcpy. Another (harmless) bug in tui_alloc_source_buffer causes the buffer to be two lines longer than needed. This may have made the crash appear less frequently. gdb/ChangeLog: * tui/tui-disasm.c (tui_set_disassem_content): Fix line buffer overrun due to unchecked strcpy. gdb/testsuite/ChangeLog: * gdb.base/tui-layout.c: New file. * gdb.base/tui-layout.exp: Use tui-layout.c, to ensure that the disassembly window contains very long lines.
Diffstat (limited to 'gdb/tui/tui-disasm.c')
-rw-r--r--gdb/tui/tui-disasm.c24
1 files changed, 10 insertions, 14 deletions
diff --git a/gdb/tui/tui-disasm.c b/gdb/tui/tui-disasm.c
index 29c1443..5368aa4 100644
--- a/gdb/tui/tui-disasm.c
+++ b/gdb/tui/tui-disasm.c
@@ -172,7 +172,7 @@ tui_set_disassem_content (struct gdbarch *gdbarch, CORE_ADDR pc)
enum tui_status ret = TUI_FAILURE;
int i;
int offset = TUI_DISASM_WIN->detail.source_info.horizontal_offset;
- int max_lines;
+ int max_lines, line_width;
CORE_ADDR cur_pc;
struct tui_gen_win_info *locator = tui_locator_win_info_ptr ();
int tab_len = tui_default_tab_len ();
@@ -193,8 +193,9 @@ tui_set_disassem_content (struct gdbarch *gdbarch, CORE_ADDR pc)
TUI_DISASM_WIN->detail.source_info.start_line_or_addr.u.addr = pc;
cur_pc = locator->content[0]->which_element.locator.addr;
- max_lines = TUI_DISASM_WIN->generic.height - 2; /* Account for
- hilite. */
+ /* Window size, excluding highlight box. */
+ max_lines = TUI_DISASM_WIN->generic.height - 2;
+ line_width = TUI_DISASM_WIN->generic.width - 2;
/* Get temporary table that will hold all strings (addr & insn). */
asm_lines = XALLOCAVEC (struct tui_asm_line, max_lines);
@@ -233,20 +234,15 @@ tui_set_disassem_content (struct gdbarch *gdbarch, CORE_ADDR pc)
src = &element->which_element.source;
strcpy (line, asm_lines[i].addr_string);
cur_len = strlen (line);
-
- /* Add spaces to make the instructions start on the same
- column. */
- while (cur_len < insn_pos)
- {
- strcat (line, " ");
- cur_len++;
- }
-
- strcat (line, asm_lines[i].insn);
+ memset (line + cur_len, ' ', insn_pos - cur_len);
+ strcpy (line + insn_pos, asm_lines[i].insn);
/* Now copy the line taking the offset into account. */
if (strlen (line) > offset)
- strcpy (src->line, &line[offset]);
+ {
+ strncpy (src->line, &line[offset], line_width);
+ src->line[line_width] = '\0';
+ }
else
src->line[0] = '\0';
generated by cgit v1.1 at 2024-11-04 14:00:34 +0000