diff options
| author | Nick Alcock <nick.alcock@oracle.com> | 2021-03-25 16:32:46 +0000 |
|---|---|---|
| committer | Nick Alcock <nick.alcock@oracle.com> | 2021-03-25 16:32:49 +0000 |
| commit | 0bd65ce30a869559251a34da105fbe45df5a85b3 (patch) | |
| tree | 6f4d610cb1ea5dafff6200641bdea29f0c961a98 /libctf/ctf-lookup.c | |
| parent | 5226ef61131c1dbb58bcf4ff10ece4312690bc82 (diff) | |
| download | gdb-0bd65ce30a869559251a34da105fbe45df5a85b3.zip gdb-0bd65ce30a869559251a34da105fbe45df5a85b3.tar.gz gdb-0bd65ce30a869559251a34da105fbe45df5a85b3.tar.bz2 | |
libctf: don't dereference out-of-bounds locations in the qualifier hashtab
isqualifier, which is used by ctf_lookup_by_name to figure out if a
given word in a type name is a qualifier, takes the address of a
possibly out-of-bounds location before checking its bounds.
In any reasonable compiler this will just lead to a harmless address
computation that is then discarded if out-of-bounds, but it's still
undefined behaviour and the sanitizer rightly complains.
libctf/ChangeLog
2021-03-25 Nick Alcock <nick.alcock@oracle.com>
PR libctf/27628
* ctf-lookup.c (isqualifier): Don't dereference out-of-bounds
qhash values.
Diffstat (limited to 'libctf/ctf-lookup.c')
| -rw-r--r-- | libctf/ctf-lookup.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/libctf/ctf-lookup.c b/libctf/ctf-lookup.c index 9d1e6d8..fe66bc4 100644 --- a/libctf/ctf-lookup.c +++ b/libctf/ctf-lookup.c @@ -111,10 +111,14 @@ isqualifier (const char *s, size_t len) }; int h = s[len - 1] + (int) len - 105; - const struct qual *qp = &qhash[h]; + const struct qual *qp; - return (h >= 0 && (size_t) h < sizeof (qhash) / sizeof (qhash[0]) - && (size_t) len == qp->q_len && + if (h < 0 || (size_t) h >= sizeof (qhash) / sizeof (qhash[0])) + return 0; + + qp = &qhash[h]; + + return ((size_t) len == qp->q_len && strncmp (qp->q_name, s, qp->q_len) == 0); } |