gdb/python: Avoid use after free in py-tui.c

When setting the window title of a tui frame we do this:

  gdb::unique_xmalloc_ptr<char> value
    = python_string_to_host_string (<python-object>);
  ...
  win->window->title = value.get ();

The problem here is that 'get ()' only borrows the pointer from value,
when value goes out of scope the pointer will be freed.  As a result,
the tui frame will be left with a pointer to undefined memory
contents.

Instead we should be using 'value.release ()' to take ownership of the
pointer from value.

gdb/ChangeLog:

	* python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to
	avoid use after free.

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index 4c3de11d5228cbdf957d7727502f2516fd28e027..1d486c4b30051713a0dd0a115628a0f1842e74d3 100644 (file)
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,8 @@
+2020-06-05  Andrew Burgess  <andrew.burgess@embecosm.com>
+
+       * python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to
+       avoid use after free.
+
 2020-06-05  Tom de Vries  <tdevries@suse.de>
 
        * NEWS: Fix typos.

diff --git a/gdb/python/py-tui.c b/gdb/python/py-tui.c
index ca88f85eb9f9af4b38c2ed9276c9d7d9ab38dfc4..f2c03395a0bc1632cc9a360c559985c6482f86f0 100644 (file)
--- a/gdb/python/py-tui.c
+++ b/gdb/python/py-tui.c
@@ -433,7 +433,7 @@ gdbpy_tui_set_title (PyObject *self, PyObject *newvalue, void *closure)
   if (value == nullptr)
     return -1;
 
-  win->window->title = value.get ();
+  win->window->title = value.release ();
   return 0;
 }