git.libre-soc.org Git - binutils-gdb.git/commit

author	Nick Alcock <nick.alcock@oracle.com>
	Mon, 27 Sep 2021 19:31:21 +0000 (20:31 +0100)
committer	Nick Alcock <nick.alcock@oracle.com>
	Mon, 27 Sep 2021 19:31:26 +0000 (20:31 +0100)
commit	6ab5b6d0f3adc36303d2cc5308a92cf95e2801f9
tree	93320a807a43abf51f1ea4fb91f1a15a7908ae95	tree
parent	e695879142a8e8b9f7e220a7919f38ad3ee614e6	commit \| diff

libctf, lookup: fix bounds of pptrtab lookup

An off-by-one bug in the check for pptrtab lookup meant that we could
access the pptrtab past its bounds (*well* past its bounds),
particularly if we called ctf_lookup_by_name in a child dict with "*foo"
where "foo" is a type that exists in the parent but not the child and no
previous lookups by name have been carried out. (Note that "*foo" is
not even a valid thing to call ctf_lookup_by_name with: foo * is.
Nonetheless, users sometimes do call ctf_lookup_by_name with invalid
content, and it should return ECTF_NOTYPE, not crash.)

ctf_pptrtab_len, as its name suggests (and as other tests of it in
ctf-lookup.c confirm), is one higher than the maximum valid permissible
index, so the comparison is wrong.

(Test added, which should fail pretty reliably in the presence of this
bug on any machine with 4KiB pages.)

libctf/ChangeLog
2021-09-27 Nick Alcock <nick.alcock@oracle.com>

* ctf-lookup.c (ctf_lookup_by_name_internal): Fix pptrtab bounds.
* testsuite/libctf-writable/pptrtab-writable-page-deep-lookup.*:
New test.

libctf/ChangeLog		diff \| blob \| history
libctf/ctf-lookup.c		diff \| blob \| history
libctf/testsuite/libctf-writable/pptrtab-writable-page-deep-lookup.c	[new file with mode: 0644]	blob
libctf/testsuite/libctf-writable/pptrtab-writable-page-deep-lookup.lk	[new file with mode: 0644]	blob