This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [patch] buffer overflow in symtab_from_filename


On 11-08-25 01:33 PM, Tom Tromey wrote:
"Aleksandar" == Aleksandar Ristovski<aristovski@qnx.com> writes:

Aleksandar> Aleksandar Ristovski<aristovski@qnx.com> Aleksandar> * linespec.c (symtab_from_filename): Check for the end of string.

What is the test case for this?

I didn't make one - I run into the issue while doing something else.


In my case, I would get it by command "b main": on entry to symtab_from_filename (called from decode_line_1, ln 879), argptr points to a pointer to argument passed to 'break' command; p (argument value on entry) points to the end of the string ('\0'). Then this value is assigned to p1.

lookup_symtab returns a symtab and code then goes on with incrementing p1 by one, making it point past the end of the string. After this point it is unpredictable what would happen, but what happened in my case, *argptr gets garbled (pointing to garbage past the end of the argument).

I think it is obvious enough to not warrant a separate test case?



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]