From patchwork Mon Jan  6 10:26:49 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Shahab Vahedi <shahab.vahedi@gmail.com>
X-Patchwork-Id: 37207
Received: (qmail 105388 invoked by alias); 6 Jan 2020 10:27:15 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Unsubscribe: <mailto:gdb-patches-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Delivered-To: mailing list gdb-patches@sourceware.org
Received: (qmail 105380 invoked by uid 89); 6 Jan 2020 10:27:15 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-26.8 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE,
	SPF_PASS autolearn=ham version=3.3.1
	spammy=HX-Spam-Relays-External:209.85.221.67,
	H*RU:209.85.221.67, disassembling
X-HELO: mail-wr1-f67.google.com
Received: from mail-wr1-f67.google.com (HELO mail-wr1-f67.google.com)
	(209.85.221.67) by sourceware.org
	(qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Mon, 06 Jan 2020 10:27:13 +0000
Received: by mail-wr1-f67.google.com with SMTP id z3so49050455wru.3 for
	<gdb-patches@sourceware.org>; Mon, 06 Jan 2020 02:27:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=HhoXjw2Oz8jHhcnif2/Az0dCt7B466AadgyF6YmpTYo=;
	b=p545BMw9c1AvOuQwnUlczKgCpreanvX8Ywr4EZSjkPPvToxx20IhTi9cjQbxs/uSBm
	wtVP0tEQp5wjOmUyKb/4WzUNRzcJ2XW3BdkRV0Rht8DrOGk7NYt6UWcucFdh9h34Rl4P
	IhVBDMeQZl5BKLc9clZPwLhUw7wJYuCi93PUew1jaL1g8rIpgVv4R+jv+nbqS9Qm82Fb
	4obFLaJupqMBLqTLFphZvH3tLNAPC1PzZIZbqzZAogD86/mHh+6xczA1SR2FKTAgN17x
	mLQLCXCQS5X+nqhogUQnctHpHK3iKlGSvp1tdXlJIiQ7TbFXXwM9w63ndgdKdUkLWTPo
	qZaw==
Return-Path: <shahab.vahedi@gmail.com>
Received: from localhost.localdomain
	(ip-217-103-128-141.ip.prioritytelecom.net.
	[217.103.128.141]) by smtp.gmail.com with ESMTPSA id
	h17sm75171923wrs.18.2020.01.06.02.27.10 (version=TLS1_3
	cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Mon, 06 Jan 2020 02:27:10 -0800 (PST)
From: Shahab Vahedi <shahab.vahedi@gmail.com>
To: gdb-patches@sourceware.org
Cc: Shahab Vahedi <shahab@synopsys.com>,
	Claudiu Zissulescu <claziss@synopsys.com>,
	Francois Bedard <fbedard@synopsys.com>
Subject: [PATCH v2] GDB: Fix the overflow in addr_is_displayed()
Date: Mon,  6 Jan 2020 11:26:49 +0100
Message-Id: <20200106102649.15710-1-shahab.vahedi@gmail.com>
MIME-Version: 1.0

From: Shahab Vahedi <shahab@synopsys.com>

In a corner case scenario, where the height of the assembly TUI is
bigger than the number of instructions in the whole program, GDB
dumps core. The problem roots in this condition check:

  int i = 0;
  while (i < content. size() - threshold ...) {
    ... content[i] ...
  }

"threshold" is 2 and there are times that "content. size()" is 0.
This results into an overflow and the loop is entered whereas it
should have been skipped.

This has been discussed at length in bug 25345:
  https://sourceware.org/bugzilla/show_bug.cgi?id=25345

As a bonus, a few trailing spaces are also removed.

gdb/ChangeLog:
2020-01-04  Shahab Vahedi  <shahab@synopsys.com>
        * tui/tui-disasm.c (tui_disasm_window::addr_is_displayed):
        Treat "content.size ()" as "int" to avoid overflow.
        * tui/tui-disasm.c: Remove trailing spaces.
---
 gdb/tui/tui-disasm.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/gdb/tui/tui-disasm.c b/gdb/tui/tui-disasm.c
index c72b50730b0..68744cc61e3 100644
--- a/gdb/tui/tui-disasm.c
+++ b/gdb/tui/tui-disasm.c
@@ -43,7 +43,7 @@
 
 #include "gdb_curses.h"
 
-struct tui_asm_line 
+struct tui_asm_line
 {
   CORE_ADDR addr;
   std::string addr_string;
@@ -150,7 +150,7 @@ tui_find_disassembly_address (struct gdbarch *gdbarch, CORE_ADDR pc, int from)
       CORE_ADDR last_addr;
       int pos;
       struct bound_minimal_symbol msymbol;
-              
+
       /* Find backward an address which is a symbol and for which
          disassembling from that address will fill completely the
          window.  */
@@ -176,7 +176,7 @@ tui_find_disassembly_address (struct gdbarch *gdbarch, CORE_ADDR pc, int from)
         do
           {
             CORE_ADDR next_addr;
-                 
+
             pos++;
             if (pos >= max_lines)
               pos = 0;
@@ -349,10 +349,10 @@ bool
 tui_disasm_window::addr_is_displayed (CORE_ADDR addr) const
 {
   bool is_displayed = false;
-  int threshold = SCROLL_THRESHOLD;
+  int nr_of_lines = (int) content. size() - SCROLL_THRESHOLD;
 
   int i = 0;
-  while (i < content.size () - threshold && !is_displayed)
+  while (i < nr_of_lines && !is_displayed)
     {
       is_displayed
 	= (content[i].line_or_addr.loa == LOA_ADDRESS