[PATCH] PR 16286: Reading python value as string beyond declared size
Pedro Alves
palves@redhat.com
Tue Dec 3 20:29:00 GMT 2013
On 12/02/2013 11:14 PM, Doug Evans wrote:
> + if (*length > 0)
> + fetchlimit = UINT_MAX;
Shouldn't this be:
if (*length > 0)
fetchlimit = *length;
? That is, if the caller specified a limit, why do we do over it?
Couldn't this new check be merge above where we compute
fetchlimit to begin with? With the comment there adjusted to
something like:
+ /* If have an explicit requested length, use that as fetchlimit.
+ Otherwise, if we know the size of the array, we can use it as
+ a limit on the number of characters to be fetched. */
BTW, it looks like the not_lval/lval_internalvar path can
blindly read beyond the value's contents buffer, if *length
is bigger than the value's contents buffer size:
/* If the string lives in GDB's memory instead of the inferior's,
then we just need to copy it to BUFFER. Also, since such strings
are arrays with known size, FETCHLIMIT will hold the size of the
array. */
if ((VALUE_LVAL (value) == not_lval
|| VALUE_LVAL (value) == lval_internalvar)
&& fetchlimit != UINT_MAX)
{
int i;
const gdb_byte *contents = value_contents (value);
/* If a length is specified, use that. */
if (*length >= 0)
i = *length;
^^^^^^^^^^^^^
else
/* Otherwise, look for a null character. */
for (i = 0; i < fetchlimit; i++)
if (extract_unsigned_integer (contents + i * width,
width, byte_order) == 0)
break;
/* I is now either a user-defined length, the number of non-null
characters, or FETCHLIMIT. */
*length = i * width;
*buffer = xmalloc (*length);
memcpy (*buffer, contents, *length);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--
Pedro Alves
More information about the Gdb-patches
mailing list