[commit] Fix find buffer overflow crash (PR 14321)

Jan Kratochvil jan.kratochvil@redhat.com
Fri Jul 6 15:54:00 GMT 2012 

Hi,

I do not find the types there great (it should use size_t or CORE_ADDR
dependeing on the case instead of LONGEST/ULONGEST everywhere) but I just
applied the minimal fix for the crash.

No regressions on {x86_64,x86_64-m32,i686}-fedorarawhide-linux-gnu.

Checked in.


Thanks,
Jan


http://sourceware.org/ml/gdb-cvs/2012-07/msg00051.html

--- src/gdb/ChangeLog	2012/07/06 14:48:47	1.14443
+++ src/gdb/ChangeLog	2012/07/06 15:51:38	1.14444
@@ -1,3 +1,9 @@
+2012-07-06  Jan Kratochvil  <jan.kratochvil@redhat.com>
+
+	PR 14321
+	* findcmd.c (parse_find_args): New variable pattern_buf_size_need.
+	Increase buffer sizes to 2x we need, not just 2x of the previous size.
+
 2012-07-06  Tom Tromey  <tromey@redhat.com>
 
 	* c-exp.y (DOTDOTDOT): New token.
--- src/gdb/testsuite/ChangeLog	2012/07/06 14:48:48	1.3278
+++ src/gdb/testsuite/ChangeLog	2012/07/06 15:51:39	1.3279
@@ -1,3 +1,9 @@
+2012-07-06  Jan Kratochvil  <jan.kratochvil@redhat.com>
+
+	PR 14321
+	* gdb.base/find.exp
+	(find int64_search_buf, +64/8*100, int64_search_buf): New test.
+
 2012-07-06  Tom Tromey  <tromey@redhat.com>
 
 	* gdb.base/whatis.exp: Add test.
--- src/gdb/findcmd.c	2012/01/04 08:17:02	1.18
+++ src/gdb/findcmd.c	2012/07/06 15:51:39	1.19
@@ -170,6 +170,7 @@
     {
       LONGEST x;
       int val_bytes;
+      ULONGEST pattern_buf_size_need;
 
       while (isspace (*s))
 	++s;
@@ -179,12 +180,13 @@
 
       /* Keep it simple and assume size == 'g' when watching for when we
 	 need to grow the pattern buf.  */
-      if ((pattern_buf_end - pattern_buf + max (val_bytes, sizeof (int64_t)))
-	  > pattern_buf_size)
+      pattern_buf_size_need = (pattern_buf_end - pattern_buf
+			       + max (val_bytes, sizeof (int64_t)));
+      if (pattern_buf_size_need > pattern_buf_size)
 	{
 	  size_t current_offset = pattern_buf_end - pattern_buf;
 
-	  pattern_buf_size *= 2;
+	  pattern_buf_size = pattern_buf_size_need * 2;
 	  pattern_buf = xrealloc (pattern_buf, pattern_buf_size);
 	  pattern_buf_end = pattern_buf + current_offset;
 	}
--- src/gdb/testsuite/gdb.base/find.exp	2012/05/18 15:31:41	1.11
+++ src/gdb/testsuite/gdb.base/find.exp	2012/07/06 15:51:40	1.12
@@ -182,3 +182,6 @@
     "${hex_number}${one_pattern_found}" \
     "find pattern straddling chunk boundary"
 }
+
+# Check GDB buffer overflow.
+gdb_test "find int64_search_buf, +64/8*100, int64_search_buf" " <int64_search_buf>\r\n1 pattern found\\."

More information about the Gdb-patches mailing list