This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [commit] objc-lang.c: avoid string overrun


Jan Kratochvil wrote:
Hi Michael,

On Mon, 28 Feb 2011 03:15:47 +0100, Michael Snyder wrote:
--- objc-lang.c	10 Jan 2011 20:38:49 -0000	1.91
+++ objc-lang.c	28 Feb 2011 02:13:37 -0000
char myregexp[2048];
@@ -720,7 +720,7 @@ selectors_info (char *regexp, int from_t
 	strcpy(myregexp, ".*]");
       else
 	{
-	  strcpy(myregexp, regexp);
+	  strncpy(myregexp, regexp, sizeof (myregexp) - 1);
 	  if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */
 	    myregexp[strlen(myregexp) - 1] = ']';    /* end of method name */
 	  else

I agree it fixes a bug. But still if the limit applies then the immediately following strlen will read uninitialized memory myregexp[2047].

Do you agree with this fix instead?

(Yes, the code should be completely different but we fix only bugs now.)

OK, please apply.


gdb/
2011-02-28  Jan Kratochvil  <jan.kratochvil@redhat.com>

* objc-lang.c (selectors_info): Error on too long REGEXP.

--- a/gdb/objc-lang.c
+++ b/gdb/objc-lang.c
@@ -720,7 +720,9 @@ selectors_info (char *regexp, int from_tty)
 	strcpy(myregexp, ".*]");
       else
 	{
-	  strncpy(myregexp, regexp, sizeof (myregexp) - 1);
+	  if (sizeof (myregexp) < strlen (regexp) + 1)
+	    error (_("Regexp is too long: %s"), regexp);
+	  strcpy(myregexp, regexp);
 	  if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */
 	    myregexp[strlen(myregexp) - 1] = ']';    /* end of method name */
 	  else


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]