From patchwork Fri Aug  2 15:53:07 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bogdan Harjoc <harjoc@gmail.com>
X-Patchwork-Id: 33923
Received: (qmail 28995 invoked by alias); 2 Aug 2019 15:53:22 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Unsubscribe: <mailto:gdb-patches-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Delivered-To: mailing list gdb-patches@sourceware.org
Received: (qmail 28985 invoked by uid 89); 2 Aug 2019 15:53:21 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-20.3 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE,
	SPF_PASS autolearn=ham version=3.3.1 spammy=HX-Languages-Length:741
X-HELO: mail-yb1-f182.google.com
Received: from mail-yb1-f182.google.com (HELO mail-yb1-f182.google.com)
	(209.85.219.182) by sourceware.org
	(qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Fri, 02 Aug 2019 15:53:20 +0000
Received: by mail-yb1-f182.google.com with SMTP id y123so23987610yby.10 for
	<gdb-patches@sourceware.org>; Fri, 02 Aug 2019 08:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:from:date:message-id:subject:to;
	bh=DkkwTDbSGE3PZcOKsYoF4S96Gpf56KI7k0E9p2yXPf4=;
	b=hIc3LQHFmTXqXdrK1camGKf8mVP3r1d1pqrA4b8J3Cq7oajPJ+EPddYZG2nJP2GEPg
	CwagSwMWFk9IXKeOqMXGHn7MFAayym1UI+1ud1oXbFOYomFo/c72JJzxYkQfJNxoUsPO
	QPkZ0DZcfmEWCxWmm8AjNkTeCFgz1OQwWS+LfSGxWdB4t6T3ZRz2KdHVQe63DJigpv9K
	xdS9x9tbP/cP6JADmOpDBOhUn5roUEacWmd176CJGN8vp17bjWkAARU6Z1Nl+Vl3vjzn
	HbpOYKkTOIv91ddS6+26Rp9Y+w2nu2jutWAtjfGNtJazwLfZL0wxiMePYNt0KZ/QJW1t
	9X4Q==
MIME-Version: 1.0
From: Bogdan Harjoc <harjoc@gmail.com>
Date: Fri, 2 Aug 2019 18:53:07 +0300
Message-ID: 
 <CAF4+tmpJNzzf6hDFdLC8DJCRtcEP9hTAgaiyBMGK2VA4AJQDHA@mail.gmail.com>
Subject: [PATCH] Fix out-of-bounds read in tui_addr_is_displayed
To: gdb-patches@sourceware.org
X-IsSubscribed: yes

In tui_addr_is_displayed(), if win_info->content.size() is less than 2, then

  win_info->content.size () - threshold

will wrap to SIZE_MAX if threshold = SCROLL_THRESHOLD = 2.

The attached patch avoids calling win_info->content[i] below with i=0
which is past the end of the vector of size 0.

Bogdan

diff --git a/gdb/tui/tui-winsource.c b/gdb/tui/tui-winsource.c
index 3de2692dee..3eb583b31d 100644
--- a/gdb/tui/tui-winsource.c
+++ b/gdb/tui/tui-winsource.c
@@ -742,7 +742,7 @@ tui_addr_is_displayed (CORE_ADDR addr,
   else
     threshold = 0;
   i = 0;
-  while (i < win_info->content.size () - threshold
+  while (i + threshold < win_info->content.size ()
 	 && !is_displayed)
     {
       is_displayed