This is the mail archive of the
gdb-prs@sourceware.org
mailing list for the GDB project.
[Bug gdb/11092] c_printstr in c-lang.c length parameter can overflow
- From: "pmuldoon at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: gdb-prs at sourceware dot org
- Date: 15 Dec 2009 15:37:44 -0000
- Subject: [Bug gdb/11092] c_printstr in c-lang.c length parameter can overflow
- References: <20091215144649.11092.pmuldoon@redhat.com>
- Reply-to: sourceware-bugzilla at sourceware dot org
------- Additional Comments From pmuldoon at redhat dot com 2009-12-15 15:37 -------
Maybe I misunderstood the comments that head that function. Can I not provide
-1 as a length to terminate string printing at the first null of appropriate
width? If I do that I get the outcome below: (ignore the extra encoding argument
to LA_PRINT_STRING, it is part of my patch and has no effect on the outcome):
I've redacted the output from the debugging session to show in summary:
Breakpoint 1, main () at
../../../archer/gdb/testsuite/gdb.python/py-prettyprint.c:252
252 return 0; /* break to inspect struct and union */
Current language: auto
(gdb) p estring
Breakpoint 3, print_string_repr (printer=0x7ffff20dd7e8, hint=0xf4f6e0 "string",
stream=0xbc1ab0, recurse=0, options=0x7fffffffd8e0, language=0x7ab4c0,
gdbarch=0xc20880)
at ../../archer/gdb/python/py-prettyprint.c:323
323 LA_PRINT_STRING (stream, builtin_type (gdbarch)->builtin_char,
(top-gdb) list 323
323 LA_PRINT_STRING (stream, builtin_type (gdbarch)->builtin_char,
324 output, length, encoding, 0, options);
325 else
326 fputs_filtered (output, stream);
327
(top-gdb) p length
$1 = -1
(top-gdb) p output
$2 = (gdb_byte *) 0xdfd530 "embedded x\201\202\203\204"
(top-gdb) s
c_printstr (stream=0xbc1ab0, type=0xc10760, string=0xdfd530 "embedded
x\201\202\203\204", length=4294967295, user_encoding=0xf71340 "UTF-8",
force_ellipses=0, options=0x7fffffffd8e0)
at ../../archer/gdb/c-lang.c:375
375 enum bfd_endian byte_order = gdbarch_byte_order (get_type_arch (type));
(top-gdb) n
377 unsigned int things_printed = 0;
(top-gdb)
378 int in_quotes = 0;
(top-gdb)
379 int need_comma = 0;
(top-gdb)
380 int width = TYPE_LENGTH (type);
(top-gdb)
387 int finished = 0;
(top-gdb)
388 int need_escape = 0;
(top-gdb)
393 if (!force_ellipses
(top-gdb)
395 && (extract_unsigned_integer (string + (length - 1) * width,
(top-gdb) p length
$3 = 4294967295
(top-gdb) n
Program received signal SIGSEGV, Segmentation fault.
0x00000000004f8180 in extract_unsigned_integer (addr=0x100dfd52e <Address
0x100dfd52e out of bounds>, len=1, byte_order=BFD_ENDIAN_LITTLE) at
../../archer/gdb/findvar.c:110
110 retval = (retval << 8) | *p;
--
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |UNCONFIRMED
Resolution|INVALID |
http://sourceware.org/bugzilla/show_bug.cgi?id=11092
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.