diff options
| author | Jan Kratochvil <jan.kratochvil@redhat.com> | 2014-08-19 22:55:10 +0200 |
|---|---|---|
| committer | Jan Kratochvil <jan.kratochvil@redhat.com> | 2014-08-19 22:55:10 +0200 |
| commit | 6694c4110a37bc951d01132d6e56445d57350627 (patch) | |
| tree | 817a90a208ffc14ea5b6893334e6b12ffa658600 /gdb/valprint.c | |
| parent | 0718a8da7b359f184e1b3a866645cc2f9611771b (diff) | |
| download | gdb-6694c4110a37bc951d01132d6e56445d57350627.zip gdb-6694c4110a37bc951d01132d6e56445d57350627.tar.gz gdb-6694c4110a37bc951d01132d6e56445d57350627.tar.bz2 | |
Fix -fsanitize=address on unreadable inferior strings
echo 'void f(char *s){}main(){f((char *)1);}'|gcc -g -x c -;../gdb ./a.out -ex 'b f' -ex r
====ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000aaccf at pc 0x96eea7 bp 0x7fff75bdbc90 sp 0x7fff75bdbc80
READ of size 1 at 0x6020000aaccf thread T0
#0 0x96eea6 in extract_unsigned_integer .../gdb/findvar.c:108
#1 0x9df02b in val_print_string .../gdb/valprint.c:2513
[...]
0x6020000aaccf is located 1 bytes to the left of 8-byte region [0x6020000aacd0,0x6020000aacd8)
allocated by thread T0 here:
#0 0x7f45fad26b97 in malloc (/lib64/libasan.so.1+0x57b97)
#1 0xdb3409 in xmalloc common/common-utils.c:45
#2 0x9d8cf9 in read_string .../gdb/valprint.c:1845
#3 0x9defca in val_print_string .../gdb/valprint.c:2502
[..]
====ABORTING
gdb/
2014-08-18 Jan Kratochvil <jan.kratochvil@redhat.com>
Fix -fsanitize=address on unreadable inferior strings.
* valprint.c (val_print_string): Fix access before BUFFER.
Diffstat (limited to 'gdb/valprint.c')
| -rw-r--r-- | gdb/valprint.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/gdb/valprint.c b/gdb/valprint.c index d3ab267..a87d67c 100644 --- a/gdb/valprint.c +++ b/gdb/valprint.c @@ -2510,8 +2510,10 @@ val_print_string (struct type *elttype, const char *encoding, LEN is -1. */ /* Determine found_nul by looking at the last character read. */ - found_nul = extract_unsigned_integer (buffer + bytes_read - width, width, - byte_order) == 0; + found_nul = 0; + if (bytes_read >= width) + found_nul = extract_unsigned_integer (buffer + bytes_read - width, width, + byte_order) == 0; if (len == -1 && !found_nul) { gdb_byte *peekbuf; |