From: Andrew Burgess <andrew.burgess@embecosm.com>
Date: Fri, 5 Jun 2020 17:13:09 +0000 (+0100)
Subject: gdb/python: Avoid use after free in py-tui.c
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=982a38f60b0ece9385556cff45567e06710478cb;p=binutils-gdb.git

gdb/python: Avoid use after free in py-tui.c

When setting the window title of a tui frame we do this:

  gdb::unique_xmalloc_ptr<char> value
    = python_string_to_host_string (<python-object>);
  ...
  win->window->title = value.get ();

The problem here is that 'get ()' only borrows the pointer from value,
when value goes out of scope the pointer will be freed.  As a result,
the tui frame will be left with a pointer to undefined memory
contents.

Instead we should be using 'value.release ()' to take ownership of the
pointer from value.

gdb/ChangeLog:

	* python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to
	avoid use after free.
---

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index 4c3de11d522..1d486c4b300 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,8 @@
+2020-06-05  Andrew Burgess  <andrew.burgess@embecosm.com>
+
+	* python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to
+	avoid use after free.
+
 2020-06-05  Tom de Vries  <tdevries@suse.de>
 
 	* NEWS: Fix typos.
diff --git a/gdb/python/py-tui.c b/gdb/python/py-tui.c
index ca88f85eb9f..f2c03395a0b 100644
--- a/gdb/python/py-tui.c
+++ b/gdb/python/py-tui.c
@@ -433,7 +433,7 @@ gdbpy_tui_set_title (PyObject *self, PyObject *newvalue, void *closure)
   if (value == nullptr)
     return -1;
 
-  win->window->title = value.get ();
+  win->window->title = value.release ();
   return 0;
 }