This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: [PATCH] PR 16286: Reading python value as string beyond declared size
- From: Pedro Alves <palves at redhat dot com>
- To: Doug Evans <dje at google dot com>
- Cc: gdb-patches at sourceware dot org, brobecker at adacore dot com, saugustine at google dot com
- Date: Tue, 03 Dec 2013 20:29:04 +0000
- Subject: Re: [PATCH] PR 16286: Reading python value as string beyond declared size
- Authentication-results: sourceware.org; auth=none
- References: <yjt2haaqyhe7 dot fsf at ruffy dot mtv dot corp dot google dot com>
On 12/02/2013 11:14 PM, Doug Evans wrote:
> + if (*length > 0)
> + fetchlimit = UINT_MAX;
Shouldn't this be:
if (*length > 0)
fetchlimit = *length;
? That is, if the caller specified a limit, why do we do over it?
Couldn't this new check be merge above where we compute
fetchlimit to begin with? With the comment there adjusted to
something like:
+ /* If have an explicit requested length, use that as fetchlimit.
+ Otherwise, if we know the size of the array, we can use it as
+ a limit on the number of characters to be fetched. */
BTW, it looks like the not_lval/lval_internalvar path can
blindly read beyond the value's contents buffer, if *length
is bigger than the value's contents buffer size:
/* If the string lives in GDB's memory instead of the inferior's,
then we just need to copy it to BUFFER. Also, since such strings
are arrays with known size, FETCHLIMIT will hold the size of the
array. */
if ((VALUE_LVAL (value) == not_lval
|| VALUE_LVAL (value) == lval_internalvar)
&& fetchlimit != UINT_MAX)
{
int i;
const gdb_byte *contents = value_contents (value);
/* If a length is specified, use that. */
if (*length >= 0)
i = *length;
^^^^^^^^^^^^^
else
/* Otherwise, look for a null character. */
for (i = 0; i < fetchlimit; i++)
if (extract_unsigned_integer (contents + i * width,
width, byte_order) == 0)
break;
/* I is now either a user-defined length, the number of non-null
characters, or FETCHLIMIT. */
*length = i * width;
*buffer = xmalloc (*length);
memcpy (*buffer, contents, *length);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--
Pedro Alves