When building gdb with address sanitizer and running test-case
gdb.base/completion.exp, we run into:
...
==5743==ERROR: AddressSanitizer: heap-buffer-overflow on address \
0x60200025c02f at pc 0x000000cd9d64 bp 0x7fff3297da30 sp 0x7fff3297da28
READ of size 1 at 0x60200025c02f thread T0
#0 0xcd9d63 in completion_tracker::build_completion_result(char const*, \
int, int) gdb/completer.c:2258
...
0x60200025c02f is located 1 bytes to the left of 1-byte region \
[0x60200025c030,0x60200025c031)
...
This can be reproduced using just:
...
$ gdb
(gdb) p/d[TAB]
...
The problem is in this code in completion_tracker::build_completion_result:
...
bool completion_suppress_append
= (suppress_append_ws ()
|| match_list[0][strlen (match_list[0]) - 1] == ' ');
...
If strlen (match_list[0]) == 0, then we access match_list[0][-1].
Fix this by testing if the memory access is in bounds before doing the memory
access.
Tested on x86_64-linux.
gdb/ChangeLog:
2020-12-04 Tom de Vries <tdevries@suse.de>
PR gdb/27003
* completer.c (completion_tracker::build_completion_result): Don't
access match_list[0][-1].
+2020-12-04 Tom de Vries <tdevries@suse.de>
+
+ PR gdb/27003
+ * completer.c (completion_tracker::build_completion_result): Don't
+ access match_list[0][-1].
+
2020-12-04 Tom Tromey <tromey@adacore.com>
* linespec.c (struct linespec_token): Rename; remove typedef.
/* If the tracker wants to, or we already have a space at the
end of the match, tell readline to skip appending
another. */
+ char *match = match_list[0];
bool completion_suppress_append
= (suppress_append_ws ()
- || match_list[0][strlen (match_list[0]) - 1] == ' ');
+ || (match[0] != '\0'
+ && match[strlen (match) - 1] == ' '));
return completion_result (match_list, 1, completion_suppress_append);
}
projects / binutils-gdb.git / commitdiff