From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) by sourceware.org (Postfix) with ESMTPS id 7C7DB3858D3C for ; Wed, 16 Aug 2023 17:31:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7C7DB3858D3C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=adacore.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=adacore.com Received: by mail-il1-x133.google.com with SMTP id e9e14a558f8ab-34aa0866014so11836125ab.1 for ; Wed, 16 Aug 2023 10:31:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adacore.com; s=google; t=1692207103; x=1692811903; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=6YbDeTKu1WtE/EtVx8yWXAPCFchq+vMkvHbGkjQUCVI=; b=bvgskvnDEs+Je/N3y859R0IbIVW0Dm32t3I7tZM+lEfrRpBQEw07tVTBDG6l0X99NC 321j60Cc5MrW/epb1CdRm27OoaFakDO5dbIPgGM5rdmstQc6BZ7Cvvs0vvbGDgB7UTMA u1kLS6E0KeRPQ+FDdExQF2PkKW60pcaeOatghb+maqBdqKTfvX2WRhj//WWrEEoDPB15 l/yfi/gxUgMD9CCNYzgzMSjqYi0U/2Kqe6URGPQlIX7ystJk/A4mZep+yp1v66vZgx/R ea8LAcV0EM7aS8ZKtwYm1njLj0/xN3HamHhGb69l919HOfp5K//0C1u4XxbANEQDWHyE y22g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692207103; x=1692811903; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6YbDeTKu1WtE/EtVx8yWXAPCFchq+vMkvHbGkjQUCVI=; b=Nk1BOjs64M5fn6FAwfuc6WRYpxZyQiv3wDOy+oSGfK7YPOwTElgeppi41F6m2d3okY 3NE3clkSmCdcQI7P3OOmCm8zBQIml5ZC7+7bOJuqUveqR16AhvdXavzmj9QlX/gQigsV uR0uPI+v4B9n2jFX/G7v5hQR1Qqc5iMeYZHShD3RfBsyL/4sdLYngeZxDSeYSmFGI6ym 98VFmwy2um6SkekLDSqinqiJqeDqweoVGlQwbZS1GtzbvTsDEqbdT1MDvVX2ay2oC1XG feypqABdvRaXdJiBeyA3Mlywn55Oyulp3DK015FUXNTvtrf/0yCeECYOEhOkB1SW/3GC 61aQ== X-Gm-Message-State: AOJu0YzyHIyk4OjGkg1qYENChb/DYe68iefuUn32XRk3NTVw19MX3Dj/ K6Ev0O+neFOsYncK7cozWlks5ipIDVVOJ2QiIApqZw== X-Google-Smtp-Source: AGHT+IGY6jNfeNWAWCratJZv/DmEPSeDYdGtlzX/f+K5ByFIK0akkPjccq7J/0dlkwqDXXODClyARg== X-Received: by 2002:a92:c70f:0:b0:349:784:4c40 with SMTP id a15-20020a92c70f000000b0034907844c40mr3133082ilp.19.1692207103556; Wed, 16 Aug 2023 10:31:43 -0700 (PDT) Received: from localhost.localdomain (75-166-142-177.hlrn.qwest.net. [75.166.142.177]) by smtp.gmail.com with ESMTPSA id a13-20020a92d34d000000b00348730b48a1sm3781311ilh.43.2023.08.16.10.31.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Aug 2023 10:31:43 -0700 (PDT) From: Tom Tromey To: gdb-patches@sourceware.org Cc: Tom Tromey Subject: [PATCH] Avoid buffer overflow in ada_decode Date: Wed, 16 Aug 2023 11:31:33 -0600 Message-Id: <20230816173133.867606-1-tromey@adacore.com> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-11.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: A bug report pointed out a buffer overflow in ada_decode, which Keith helpfully analyzed. ada_decode had a logic error when the input was all digits. While this isn't valid -- and would probably only appear in fuzzer tests -- it still should be handled properly. This patch adds a missing bounds check. Tested with the self-tests in an asan build. Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 --- gdb/ada-lang.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c index 1261ee8fa05..6e8d98bf4ea 100644 --- a/gdb/ada-lang.c +++ b/gdb/ada-lang.c @@ -57,6 +57,7 @@ #include "cli/cli-utils.h" #include "gdbsupport/function-view.h" #include "gdbsupport/byte-vector.h" +#include "gdbsupport/selftest.h" #include #include "ada-exp.h" #include "charset.h" @@ -1377,7 +1378,7 @@ ada_decode (const char *encoded, bool wrap, bool operators) i -= 1; if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') len0 = i - 1; - else if (encoded[i] == '$') + else if (i >= 0 && encoded[i] == '$') len0 = i; } @@ -1574,6 +1575,18 @@ ada_decode (const char *encoded, bool wrap, bool operators) return decoded; } +#ifdef GDB_SELF_TEST + +static void +ada_decode_tests () +{ + /* This isn't valid, but used to cause a crash. PR gdb/30639. The + result does not really matter very much. */ + SELF_CHECK (ada_decode ("44") == "44"); +} + +#endif + /* Table for keeping permanent unique copies of decoded names. Once allocated, names in this table are never released. While this is a storage leak, it should not be significant unless there are massive @@ -13977,4 +13990,8 @@ DWARF attribute."), gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); + +#ifdef GDB_SELF_TEST + selftests::register_test ("ada-decode", ada_decode_tests); +#endif } -- 2.40.1