Patchwork Fix out-of-bounds read in tui_addr_is_displayed

login
register
mail settings
Submitter Bogdan Harjoc
Date Aug. 2, 2019, 3:53 p.m.
Message ID <CAF4+tmpJNzzf6hDFdLC8DJCRtcEP9hTAgaiyBMGK2VA4AJQDHA@mail.gmail.com>
Download mbox | patch
Permalink /patch/33923/
State New
Headers show

Comments

Bogdan Harjoc - Aug. 2, 2019, 3:53 p.m.
In tui_addr_is_displayed(), if win_info->content.size() is less than 2, then

  win_info->content.size () - threshold

will wrap to SIZE_MAX if threshold = SCROLL_THRESHOLD = 2.

The attached patch avoids calling win_info->content[i] below with i=0
which is past the end of the vector of size 0.

Bogdan
Tom Tromey - Aug. 2, 2019, 6:07 p.m.
>>>>> "Bogdan" == Bogdan Harjoc <harjoc@gmail.com> writes:

Bogdan> In tui_addr_is_displayed(), if win_info->content.size() is less than 2, then
win_info-> content.size () - threshold

Bogdan> will wrap to SIZE_MAX if threshold = SCROLL_THRESHOLD = 2.

Bogdan> The attached patch avoids calling win_info->content[i] below with i=0
Bogdan> which is past the end of the vector of size 0.

Thank you for the patch.  Nice catch.

This needs a ChangeLog entry but is otherwise ok.

Tom

Patch

diff --git a/gdb/tui/tui-winsource.c b/gdb/tui/tui-winsource.c
index 3de2692dee..3eb583b31d 100644
--- a/gdb/tui/tui-winsource.c
+++ b/gdb/tui/tui-winsource.c
@@ -742,7 +742,7 @@  tui_addr_is_displayed (CORE_ADDR addr,
   else
     threshold = 0;
   i = 0;
-  while (i < win_info->content.size () - threshold
+  while (i + threshold < win_info->content.size ()
 	 && !is_displayed)
     {
       is_displayed