This is the mail archive of the
gdb-cvs@sourceware.org
mailing list for the GDB project.
[binutils-gdb/gdb-7.12-branch] null-terminate string in linespec_location_completer
- From: Yao Qi <qiyao at sourceware dot org>
- To: gdb-cvs at sourceware dot org
- Date: 19 Aug 2016 13:25:24 -0000
- Subject: [binutils-gdb/gdb-7.12-branch] null-terminate string in linespec_location_completer
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d71004b8fe2ab0f3e1fc6dede74821f7c287f521
commit d71004b8fe2ab0f3e1fc6dede74821f7c287f521
Author: Yao Qi <yao.qi@linaro.org>
Date: Fri Aug 19 14:23:59 2016 +0100
null-terminate string in linespec_location_completer
If I build gdb with -fsanitize=address and run tests, I get error,
malformed linespec error: unexpected colon^M
(gdb) PASS: gdb.linespec/ls-errs.exp: lang=C: break :
break :=================================================================^M
==3266==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000051451 at pc 0x2b5797a972a8 bp 0x7fffd8e0f3c0 sp 0x7fffd8e0f398^M
READ of size 2 at 0x602000051451 thread T0
#0 0x2b5797a972a7 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x322a7)^M
#1 0x7bd004 in compare_filenames_for_search(char const*, char const*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:316^M
#2 0x7bd310 in iterate_over_some_symtabs(char const*, char const*, int (*)(symtab*, void*), void*, compunit_symtab*, compunit_symtab*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:411^M
#3 0x7bd775 in iterate_over_symtabs(char const*, int (*)(symtab*, void*), void*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:481^M
#4 0x7bda15 in lookup_symtab(char const*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:527^M
#5 0x7d5e2a in make_file_symbol_completion_list_1 /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:5635^M
#6 0x7d61e1 in make_file_symbol_completion_list(char const*, char const*, char const*) /home/yao/SourceCode/gnu/gdb/git/gdb/symtab.c:5684^M
#7 0x88dc06 in linespec_location_completer /home/yao/SourceCode/gnu/gdb/git/gdb/completer.c:288
....
0x602000051451 is located 0 bytes to the right of 1-byte region [0x602000051450,0x602000051451)^M
mallocated by thread T0 here:
#0 0x2b5797ab97ef in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547ef)^M
#1 0xbbfb8d in xmalloc /home/yao/SourceCode/gnu/gdb/git/gdb/common/common-utils.c:43^M
#2 0x88dabd in linespec_location_completer /home/yao/SourceCode/gnu/gdb/git/gdb/completer.c:273^M
#3 0x88e5ef in location_completer(cmd_list_element*, char const*, char const*) /home/yao/SourceCode/gnu/gdb/git/gdb/completer.c:531^M
#4 0x8902e7 in complete_line_internal /home/yao/SourceCode/gnu/gdb/git/gdb/completer.c:964^
The code in question is here
file_to_match = (char *) xmalloc (colon - text + 1);
strncpy (file_to_match, text, colon - text + 1);
it is likely that file_to_match is not null-terminated. The patch is
to strncpy 'colon - text' bytes and explicitly set '\0'.
gdb:
2016-08-19 Yao Qi <yao.qi@linaro.org>
* completer.c (linespec_location_completer): Make file_to_match
null-terminated.
Diff:
---
gdb/ChangeLog | 5 +++++
gdb/completer.c | 3 ++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index 3f8d16b..5002081 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,8 @@
+2016-08-19 Yao Qi <yao.qi@linaro.org>
+
+ * completer.c (linespec_location_completer): Make file_to_match
+ null-terminated.
+
2016-08-18 Edjunior Barbosa Machado <emachado@linux.vnet.ibm.com>
* rs6000-tdep.c (ppc_process_record_op31): Handle HTM instructions.
diff --git a/gdb/completer.c b/gdb/completer.c
index 5c3b3fc..d0e6bc8 100644
--- a/gdb/completer.c
+++ b/gdb/completer.c
@@ -264,7 +264,8 @@ linespec_location_completer (struct cmd_list_element *ignore,
char *s;
file_to_match = (char *) xmalloc (colon - text + 1);
- strncpy (file_to_match, text, colon - text + 1);
+ strncpy (file_to_match, text, colon - text);
+ file_to_match[colon - text] = '\0';
/* Remove trailing colons and quotes from the file name. */
for (s = file_to_match + (colon - text);
s > file_to_match;