This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: [PATCH] TUI: Fix buffer overflow in tui_expand_tabs
- From: Anton Blanchard <anton at samba dot org>
- To: gdb-patches at sourceware dot org, eliz at gnu dot org
- Date: Fri, 20 Mar 2015 08:44:12 +1100
- Subject: Re: [PATCH] TUI: Fix buffer overflow in tui_expand_tabs
- Authentication-results: sourceware.org; auth=none
- References: <20150317103009 dot 538f2b3d at kryten>
Hi,
> tui_expand_tabs writes past the end of the buffers it allocates
> because we forget to zero out col. This results in us adding more
> spaces than we need to get aligned, and we write past the end of the
> allocated buffer.
>
> This was noticed on Ubuntu Vivid ppc64le, where gdb would SEGV when
> using the TUI.
Any feedback on this? We either need to fix it, or back out commit
312809f88389 ("Make sure TABs are expanded in TUI windows on
MS-Windows.")
Anton
> 2015-03-17 Anton Blanchard <anton@samba.org>
>
> gdb/ChangeLog:
> * tui/tui-io.c (tui_expand_tabs): Zero col before reusing.
> ---
> gdb/ChangeLog | 4 ++++
> gdb/tui/tui-io.c | 2 +-
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/gdb/ChangeLog b/gdb/ChangeLog
> index d984565..4e0177a 100644
> --- a/gdb/ChangeLog
> +++ b/gdb/ChangeLog
> @@ -1,3 +1,7 @@
> +2015-03-17 Anton Blanchard <anton@samba.org>
> +
> + * tui/tui-io.c (tui_expand_tabs): Zero col before reusing.
> +
> 2015-03-16 John Baldwin <jhb@FreeBSD.org>
>
> * fbsd-tdep.c (fbsd_make_corefile_notes): Fetch all target
> registers diff --git a/gdb/tui/tui-io.c b/gdb/tui/tui-io.c
> index a8af9b6..02ae17d 100644
> --- a/gdb/tui/tui-io.c
> +++ b/gdb/tui/tui-io.c
> @@ -690,7 +690,7 @@ tui_expand_tabs (const char *string, int col)
> ret = q = xmalloc (strlen (string) + n_adjust + 1);
>
> /* 2. Copy the original string while replacing TABs with spaces.
> */
> - for (s = string; s; )
> + for (col = 0, s = string; s; )
> {
> char *s1 = strpbrk (s, "\t");
> if (s1)