[gdb] Fix heap-buffer-overflow in completion_tracker::build_completion_result
When building gdb with address sanitizer and running test-case
gdb.base/completion.exp, we run into:
...
==5743==ERROR: AddressSanitizer: heap-buffer-overflow on address \
0x60200025c02f at pc 0x000000cd9d64 bp 0x7fff3297da30 sp 0x7fff3297da28
READ of size 1 at 0x60200025c02f thread T0
#0 0xcd9d63 in completion_tracker::build_completion_result(char const*, \
int, int) gdb/completer.c:2258
...
0x60200025c02f is located 1 bytes to the left of 1-byte region \
[0x60200025c030,0x60200025c031)
...
This can be reproduced using just:
...
$ gdb
(gdb) p/d[TAB]
...
The problem is in this code in completion_tracker::build_completion_result:
...
bool completion_suppress_append
= (suppress_append_ws ()
|| match_list[0][strlen (match_list[0]) - 1] == ' ');
...
If strlen (match_list[0]) == 0, then we access match_list[0][-1].
Fix this by testing if the memory access is in bounds before doing the memory
access.
Tested on x86_64-linux.
gdb/ChangeLog:
2020-12-04 Tom de Vries <tdevries@suse.de>
PR gdb/27003
* completer.c (completion_tracker::build_completion_result): Don't
access match_list[0][-1].
projects / binutils-gdb.git / commit