From: Andrew Burgess Date: Fri, 5 Jun 2020 17:13:09 +0000 (+0100) Subject: gdb/python: Avoid use after free in py-tui.c X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=982a38f60b0ece9385556cff45567e06710478cb;p=binutils-gdb.git gdb/python: Avoid use after free in py-tui.c When setting the window title of a tui frame we do this: gdb::unique_xmalloc_ptr value = python_string_to_host_string (); ... win->window->title = value.get (); The problem here is that 'get ()' only borrows the pointer from value, when value goes out of scope the pointer will be freed. As a result, the tui frame will be left with a pointer to undefined memory contents. Instead we should be using 'value.release ()' to take ownership of the pointer from value. gdb/ChangeLog: * python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to avoid use after free. --- diff --git a/gdb/ChangeLog b/gdb/ChangeLog index 4c3de11d522..1d486c4b300 100644 --- a/gdb/ChangeLog +++ b/gdb/ChangeLog @@ -1,3 +1,8 @@ +2020-06-05 Andrew Burgess + + * python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to + avoid use after free. + 2020-06-05 Tom de Vries * NEWS: Fix typos. diff --git a/gdb/python/py-tui.c b/gdb/python/py-tui.c index ca88f85eb9f..f2c03395a0b 100644 --- a/gdb/python/py-tui.c +++ b/gdb/python/py-tui.c @@ -433,7 +433,7 @@ gdbpy_tui_set_title (PyObject *self, PyObject *newvalue, void *closure) if (value == nullptr) return -1; - win->window->title = value.get (); + win->window->title = value.release (); return 0; }