This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: [commit] objc-lang.c: avoid string overrun
- From: Jan Kratochvil <jan dot kratochvil at redhat dot com>
- To: Michael Snyder <msnyder at vmware dot com>
- Cc: "gdb-patches at sourceware dot org" <gdb-patches at sourceware dot org>
- Date: Mon, 28 Feb 2011 05:50:35 +0100
- Subject: Re: [commit] objc-lang.c: avoid string overrun
- References: <4D6B0553.6010803@vmware.com>
Hi Michael,
On Mon, 28 Feb 2011 03:15:47 +0100, Michael Snyder wrote:
> --- objc-lang.c 10 Jan 2011 20:38:49 -0000 1.91
> +++ objc-lang.c 28 Feb 2011 02:13:37 -0000
char myregexp[2048];
> @@ -720,7 +720,7 @@ selectors_info (char *regexp, int from_t
> strcpy(myregexp, ".*]");
> else
> {
> - strcpy(myregexp, regexp);
> + strncpy(myregexp, regexp, sizeof (myregexp) - 1);
> if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */
> myregexp[strlen(myregexp) - 1] = ']'; /* end of method name */
> else
I agree it fixes a bug. But still if the limit applies then the immediately
following strlen will read uninitialized memory myregexp[2047].
Do you agree with this fix instead?
(Yes, the code should be completely different but we fix only bugs now.)
Thanks,
Jan
gdb/
2011-02-28 Jan Kratochvil <jan.kratochvil@redhat.com>
* objc-lang.c (selectors_info): Error on too long REGEXP.
--- a/gdb/objc-lang.c
+++ b/gdb/objc-lang.c
@@ -720,7 +720,9 @@ selectors_info (char *regexp, int from_tty)
strcpy(myregexp, ".*]");
else
{
- strncpy(myregexp, regexp, sizeof (myregexp) - 1);
+ if (sizeof (myregexp) < strlen (regexp) + 1)
+ error (_("Regexp is too long: %s"), regexp);
+ strcpy(myregexp, regexp);
if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */
myregexp[strlen(myregexp) - 1] = ']'; /* end of method name */
else