This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [commit] objc-lang.c: avoid string overrun


Hi Michael,

On Mon, 28 Feb 2011 03:15:47 +0100, Michael Snyder wrote:
> --- objc-lang.c	10 Jan 2011 20:38:49 -0000	1.91
> +++ objc-lang.c	28 Feb 2011 02:13:37 -0000
  char                   myregexp[2048];
> @@ -720,7 +720,7 @@ selectors_info (char *regexp, int from_t
>  	strcpy(myregexp, ".*]");
>        else
>  	{
> -	  strcpy(myregexp, regexp);
> +	  strncpy(myregexp, regexp, sizeof (myregexp) - 1);
>  	  if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */
>  	    myregexp[strlen(myregexp) - 1] = ']';    /* end of method name */
>  	  else

I agree it fixes a bug.  But still if the limit applies then the immediately
following strlen will read uninitialized memory myregexp[2047].

Do you agree with this fix instead?

(Yes, the code should be completely different but we fix only bugs now.)


Thanks,
Jan


gdb/
2011-02-28  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* objc-lang.c (selectors_info): Error on too long REGEXP.

--- a/gdb/objc-lang.c
+++ b/gdb/objc-lang.c
@@ -720,7 +720,9 @@ selectors_info (char *regexp, int from_tty)
 	strcpy(myregexp, ".*]");
       else
 	{
-	  strncpy(myregexp, regexp, sizeof (myregexp) - 1);
+	  if (sizeof (myregexp) < strlen (regexp) + 1)
+	    error (_("Regexp is too long: %s"), regexp);
+	  strcpy(myregexp, regexp);
 	  if (myregexp[strlen(myregexp) - 1] == '$') /* end of selector */
 	    myregexp[strlen(myregexp) - 1] = ']';    /* end of method name */
 	  else


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]