[PATCH] PR 16286: Reading python value as string beyond declared size
Doug Evans
dje@google.com
Tue Dec 3 23:01:00 GMT 2013
On Tue, Dec 3, 2013 at 12:29 PM, Pedro Alves <palves@redhat.com> wrote:
> On 12/02/2013 11:14 PM, Doug Evans wrote:
>> + if (*length > 0)
>> + fetchlimit = UINT_MAX;
>
> Shouldn't this be:
>
> if (*length > 0)
> fetchlimit = *length;
>
> ? That is, if the caller specified a limit, why do we do over it?
read_string will take min (len, fetchlimit), and I saw no value in
passing fetchlimit = *length.
> Couldn't this new check be merge above where we compute
> fetchlimit to begin with? With the comment there adjusted to
> something like:
>
> + /* If have an explicit requested length, use that as fetchlimit.
> + Otherwise, if we know the size of the array, we can use it as
> + a limit on the number of characters to be fetched. */
I want to keep fetchlimit and *length separate at this point.
They have different meanings/purposes.
> BTW, it looks like the not_lval/lval_internalvar path can
> blindly read beyond the value's contents buffer, if *length
> is bigger than the value's contents buffer size:
>
> /* If the string lives in GDB's memory instead of the inferior's,
> then we just need to copy it to BUFFER. Also, since such strings
> are arrays with known size, FETCHLIMIT will hold the size of the
> array. */
> if ((VALUE_LVAL (value) == not_lval
> || VALUE_LVAL (value) == lval_internalvar)
> && fetchlimit != UINT_MAX)
> {
> int i;
> const gdb_byte *contents = value_contents (value);
>
> /* If a length is specified, use that. */
> if (*length >= 0)
> i = *length;
> ^^^^^^^^^^^^^
> else
> /* Otherwise, look for a null character. */
> for (i = 0; i < fetchlimit; i++)
> if (extract_unsigned_integer (contents + i * width,
> width, byte_order) == 0)
> break;
>
> /* I is now either a user-defined length, the number of non-null
> characters, or FETCHLIMIT. */
> *length = i * width;
> *buffer = xmalloc (*length);
> memcpy (*buffer, contents, *length);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It didn't look right to me either, but I was leaving digging deeper
for another pass.
More information about the Gdb-patches
mailing list