Re: [Crash-utility] [PATCH] GDB: fix completion related libstdc++ assert

Sun, 23 Jan 2022 20:59:25 -0800 

-----Original Message-----
>       > diff --git a/gdb-10.2.patch b/gdb-10.2.patch
>       > index 1332b6638028..16165839b360 100644
>       > --- a/gdb-10.2.patch
>       > +++ b/gdb-10.2.patch
>       > @@ -1591,3 +1591,32 @@
>       >     max += 2;
>       >     limit = cols / max;
>       >     if (limit != 1 && (limit * max == cols))
>       > +--- gdb-10.2/gdb/ada-lang.c.orig
>       > ++++ gdb-10.2/gdb/ada-lang.c
>       > +@@ -997,7 +997,7 @@ ada_fold_name (gdb::string_view name)
>       > +   int len = name.size ();
>       > +   GROW_VECT (fold_buffer, fold_buffer_size, len + 1);
>       > +
>       > +-  if (name[0] == '\'')
>       > ++  if (name.size () > 0 && name[0] == '\'')
>       > +     {
>       > +       strncpy (fold_buffer, name.data () + 1, len - 2);
>       > +       fold_buffer[len - 2] = '\000';
>       > +@@ -1006,7 +1006,7 @@ ada_fold_name (gdb::string_view name)
>       > +     {
>       > +       int i;
>       > +
>       > +-      for (i = 0; i <= len; i += 1)
>       > ++      for (i = 0; i < len; i++)
>       > +         fold_buffer[i] = tolower (name[i]);
> 
>       According to 2ccee230f830 ("Fix off-by-one error in ada_fold_name"),
>       please add this:
> 
>       +      fold_buffer[i] = '\0';
> 
> 
> 
> No,  the above change will definitely cause a core dump because it assigns 
> the value '\0' to a null pointer
> when the name string is null.

Hmm, I'm not familiar with gdb source, could you explain a little more?
The following is the function with your patch.

static char *
ada_fold_name (gdb::string_view name)
{
  static char *fold_buffer = NULL;
  static size_t fold_buffer_size = 0;

  int len = name.size ();
  GROW_VECT (fold_buffer, fold_buffer_size, len + 1);

  if (name.size () > 0 && name[0] == '\'')
    { 
      strncpy (fold_buffer, name.data () + 1, len - 2);
      fold_buffer[len - 2] = '\000';
    }
  else
    { 
      int i;

      for (i = 0; i < len; i++)
        fold_buffer[i] = tolower (name[i]);
    }

  return fold_buffer;
}

The GROW_VECT() looks to alloc 1 byte to fold_buffer if name.size() is zero.
Then len is zero, and nothing is done in the for loop, and fold_buffer[i]
(== fold_buffer[0]) can be set '\0', I thought.

>       +      fold_buffer[i] = '\0';

And as far as I've tried, no abort occured.

Thanks,
Kazu


--
Crash-utility mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/crash-utility

Reply via email to