This is the mail archive of the
gdb-cvs@sourceware.org
mailing list for the GDB project.
[binutils-gdb] Fix array out of bound access
- From: Yao Qi <qiyao at sourceware dot org>
- To: gdb-cvs at sourceware dot org
- Date: 27 Feb 2017 17:27:57 -0000
- Subject: [binutils-gdb] Fix array out of bound access
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2123df0ebfc7ade46784ef412226490d59f8ce05
commit 2123df0ebfc7ade46784ef412226490d59f8ce05
Author: Yao Qi <yao.qi@linaro.org>
Date: Mon Feb 27 17:27:17 2017 +0000
Fix array out of bound access
ASAN reports the following error,
(gdb) PASS: gdb.fortran/vla-ptr-info.exp: continue to breakpoint: pvla-associated
print &pvla^M
=================================================================^M
^[[1m^[[31m==14331==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000ea569f at pc 0x0000008eb546 bp 0x7ffde0c1dc70 sp 0x7ffde0c1dc60^M
^[[1m^[[0m^[[1m^[[34mREAD of size 1 at 0x000000ea569f thread T0^[[1m^[[0m^M
#0 0x8eb545 in f_print_type(type*, char const*, ui_file*, int, int, type_print_options const*) ../../binutils-gdb/gdb/f-typeprint.c:89^M
#1 0xb611e2 in type_print(type*, char const*, ui_file*, int) ../../binutils-gdb/gdb/typeprint.c:365^M
#2 0x7b3471 in c_value_print(value*, ui_file*, value_print_options const*) ../../binutils-gdb/gdb/c-valprint.c:650^M
#3 0xb99517 in value_print(value*, ui_file*, value_print_options const*) ../../binutils-gdb/gdb/valprint.c:1233^M
#4 0xa42be8 in print_formatted ../../binutils-gdb/gdb/printcmd.c:321^M
#5 0xa46ac9 in print_value(value*, format_data const*) ../../binutils-gdb/gdb/printcmd.c:1233^M
#6 0xa46d82 in print_command_1 ../../binutils-gdb/gdb/printcmd.c:1261^M
#7 0xa46e3e in print_command ../../binutils-gdb/gdb/printcmd.c:1267
on this line of code
demangled_args = varstring[strlen (varstring) - 1] == ')';
because varstring is an empty string and strlen () is 0, so "strlen () - 1"
is definitely out of the bound of "varstring",
(gdb) bt 10
at /home/yao/SourceCode/gnu/gdb/git/gdb/f-typeprint.c:56
at /home/yao/SourceCode/gnu/gdb/git/gdb/typeprint.c:365
at /home/yao/SourceCode/gnu/gdb/git/gdb/c-valprint.c:650
at /home/yao/SourceCode/gnu/gdb/git/gdb/valprint.c:1236
This patch adds a pre-check that varstring is empty or not.
gdb:
2017-02-27 Yao Qi <yao.qi@linaro.org>
* f-typeprint.c (f_print_type): Check "varstring" is empty first.
Diff:
---
gdb/ChangeLog | 4 ++++
gdb/f-typeprint.c | 6 ++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index c9fdd66..a7be826 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,7 @@
+2017-02-27 Yao Qi <yao.qi@linaro.org>
+
+ * f-typeprint.c (f_print_type): Check "varstring" is empty first.
+
2017-02-26 Alan Hayward <alan.hayward@arm.com>
* regcache.c (regcache_raw_update): New function.
diff --git a/gdb/f-typeprint.c b/gdb/f-typeprint.c
index da6ef4f..7dbe093 100644
--- a/gdb/f-typeprint.c
+++ b/gdb/f-typeprint.c
@@ -52,7 +52,6 @@ f_print_type (struct type *type, const char *varstring, struct ui_file *stream,
int show, int level, const struct type_print_options *flags)
{
enum type_code code;
- int demangled_args;
if (type_not_associated (type))
{
@@ -81,12 +80,15 @@ f_print_type (struct type *type, const char *varstring, struct ui_file *stream,
if (varstring != NULL)
{
+ int demangled_args;
+
fputs_filtered (varstring, stream);
/* For demangled function names, we have the arglist as part of the name,
so don't print an additional pair of ()'s. */
- demangled_args = varstring[strlen (varstring) - 1] == ')';
+ demangled_args = (*varstring != '\0'
+ && varstring[strlen (varstring) - 1] == ')');
f_type_print_varspec_suffix (type, stream, show, 0, demangled_args, 0);
}
}