From patchwork Fri Mar 20 08:03:14 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eli Zaretskii X-Patchwork-Id: 5715 Received: (qmail 23664 invoked by alias); 20 Mar 2015 08:03:23 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 23651 invoked by uid 89); 20 Mar 2015 08:03:22 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL, BAYES_00, RCVD_IN_DNSWL_NONE, SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: mtaout22.012.net.il Received: from mtaout22.012.net.il (HELO mtaout22.012.net.il) (80.179.55.172) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 20 Mar 2015 08:03:20 +0000 Received: from conversion-daemon.a-mtaout22.012.net.il by a-mtaout22.012.net.il (HyperSendmail v2007.08) id <0NLI009003I5KX00@a-mtaout22.012.net.il> for gdb-patches@sourceware.org; Fri, 20 Mar 2015 10:03:17 +0200 (IST) Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout22.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NLI009TH3PHFS60@a-mtaout22.012.net.il>; Fri, 20 Mar 2015 10:03:17 +0200 (IST) Date: Fri, 20 Mar 2015 10:03:14 +0200 From: Eli Zaretskii Subject: Re: [PATCH] TUI: Fix buffer overflow in tui_expand_tabs In-reply-to: To: Doug Evans Cc: anton@samba.org, gdb-patches@sourceware.org Reply-to: Eli Zaretskii Message-id: <838uesw0xp.fsf@gnu.org> References: <20150317103009.538f2b3d@kryten> X-IsSubscribed: yes > Date: Thu, 19 Mar 2015 15:57:58 -0700 > From: Doug Evans > Cc: gdb-patches , Eli Zaretskii > > > +2015-03-17 Anton Blanchard > > + > > + * tui/tui-io.c (tui_expand_tabs): Zero col before reusing. > > + > > 2015-03-16 John Baldwin > > > > * fbsd-tdep.c (fbsd_make_corefile_notes): Fetch all target registers > > diff --git a/gdb/tui/tui-io.c b/gdb/tui/tui-io.c > > index a8af9b6..02ae17d 100644 > > --- a/gdb/tui/tui-io.c > > +++ b/gdb/tui/tui-io.c > > @@ -690,7 +690,7 @@ tui_expand_tabs (const char *string, int col) > > ret = q = xmalloc (strlen (string) + n_adjust + 1); > > > > /* 2. Copy the original string while replacing TABs with spaces. */ > > - for (s = string; s; ) > > + for (col = 0, s = string; s; ) > > { > > char *s1 = strpbrk (s, "\t"); > > if (s1) > > Hi. > > col needs to be reset to its original value on function entry, right? > I suggest changing the code so that col is left unmodified, > and use a new variable to track the advance of col in both loops. Sorry about the bug. Does the below look correct? --- gdb/tui/tui-io.c~ 2015-02-20 19:11:44.000000000 +0200 +++ gdb/tui/tui-io.c 2015-03-20 10:01:11.289375000 +0200 @@ -761,6 +761,7 @@ tui_expand_tabs (const char *string, int int n_adjust; const char *s; char *ret, *q; + int nc = col; /* 1. How many additional characters do we need? */ for (n_adjust = 0, s = string; s; ) @@ -768,10 +769,10 @@ tui_expand_tabs (const char *string, int s = strpbrk (s, "\t"); if (s) { - col += (s - string) + n_adjust; + nc += (s - string) + n_adjust; /* Adjustment for the next tab stop, minus one for the TAB we replace with spaces. */ - n_adjust += 8 - (col % 8) - 1; + n_adjust += 8 - (nc % 8) - 1; s++; } } @@ -780,7 +781,7 @@ tui_expand_tabs (const char *string, int ret = q = xmalloc (strlen (string) + n_adjust + 1); /* 2. Copy the original string while replacing TABs with spaces. */ - for (s = string; s; ) + for (s = string, nc = col; s; ) { char *s1 = strpbrk (s, "\t"); if (s1) @@ -789,12 +790,12 @@ tui_expand_tabs (const char *string, int { strncpy (q, s, s1 - s); q += s1 - s; - col += s1 - s; + nc += s1 - s; } do { *q++ = ' '; - col++; - } while ((col % 8) != 0); + nc++; + } while ((nc % 8) != 0); s1++; } else