public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/10684] New: gdb crashes when given enough multiline input
@ 2009-09-22 23:45 john dot wright at hp dot com
2009-09-22 23:55 ` [Bug gdb/10684] " john dot wright at hp dot com
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: john dot wright at hp dot com @ 2009-09-22 23:45 UTC (permalink / raw)
To: gdb-prs
--
Summary: gdb crashes when given enough multiline input
Product: gdb
Version: 6.8
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdb
AssignedTo: unassigned at sourceware dot org
ReportedBy: john dot wright at hp dot com
CC: gdb-prs at sourceware dot org
http://sourceware.org/bugzilla/show_bug.cgi?id=10684
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/10684] gdb crashes when given enough multiline input
2009-09-22 23:45 [Bug gdb/10684] New: gdb crashes when given enough multiline input john dot wright at hp dot com
@ 2009-09-22 23:55 ` john dot wright at hp dot com
2009-09-23 0:05 ` john dot wright at hp dot com
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: john dot wright at hp dot com @ 2009-09-22 23:55 UTC (permalink / raw)
To: gdb-prs
------- Additional Comments From john dot wright at hp dot com 2009-09-22 23:55 -------
(Sorry for lack of original description - I hit enter accidentally.)
If you enter a long multi-line command in gdb, it will often crash. I'm
attaching an expect script that consistently crashes gdb for me (both on
Debian's version 6.8-3 and 6.8.50.20090628-4, and on CVS head
(7.0.50.20090922-cvs), on amd64 and i386.
The problem seems to be an strdup in command_line_handler in gdb/event-top.c
that uses a source that is not nul-terminated. If the last line of the input is
a backslash, it copies the current linebuffer into the global
readline_input_state.linebuffer using strdup, and sets the global more_to_come
to 1. Next time that function is called, it sees more_to_come is true, and
strcpy's readline_input_state.linebuffer into linebuffer -- but linebuffer has
been allocated to something smaller than what's in readline_input_state, since
it was strdup'd from a string that wasn't nul-terminated. Eventually
(especially if you continue the line enough times), this will corrupt the heap
and cause gdb to crash.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10684
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/10684] gdb crashes when given enough multiline input
2009-09-22 23:45 [Bug gdb/10684] New: gdb crashes when given enough multiline input john dot wright at hp dot com
2009-09-22 23:55 ` [Bug gdb/10684] " john dot wright at hp dot com
@ 2009-09-23 0:05 ` john dot wright at hp dot com
2009-09-23 0:12 ` john dot wright at hp dot com
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: john dot wright at hp dot com @ 2009-09-23 0:05 UTC (permalink / raw)
To: gdb-prs
------- Additional Comments From john dot wright at hp dot com 2009-09-23 00:05 -------
Created an attachment (id=4221)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=4221&action=view)
Test case
Usage: ./bug10684.exp [path/to/gdb]
Send gdb a long bogus multi-line command. The first line is longer than 80
characters (this seems to required to crash on amd64). Each of the following
lines has between 40 and 70 "a" characters. This almost always crashes for
me on the first iteration, but sometimes it doesn't, so this script tries 5
times.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10684
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/10684] gdb crashes when given enough multiline input
2009-09-22 23:45 [Bug gdb/10684] New: gdb crashes when given enough multiline input john dot wright at hp dot com
2009-09-22 23:55 ` [Bug gdb/10684] " john dot wright at hp dot com
2009-09-23 0:05 ` john dot wright at hp dot com
@ 2009-09-23 0:12 ` john dot wright at hp dot com
2009-09-23 17:27 ` cvs-commit at gcc dot gnu dot org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: john dot wright at hp dot com @ 2009-09-23 0:12 UTC (permalink / raw)
To: gdb-prs
------- Additional Comments From john dot wright at hp dot com 2009-09-23 00:12 -------
Created an attachment (id=4222)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=4222&action=view)
Proposed patch
command_handler: Terminate linebuffer before xstrdup
If a line ends in a backslash, we copy linebuffer into a global
readline_input_state variable, using xstrdup. But the operations
leading to this point do not guarantee that linebuffer is terminated.
Thus, when we later use xstrcpy to copy it back into the linebuffer
variable, linebuffer will not have enough space allocated to hold
the result.
This patch ensures linebuffer is terminated before calling xstrdup.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10684
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/10684] gdb crashes when given enough multiline input
2009-09-22 23:45 [Bug gdb/10684] New: gdb crashes when given enough multiline input john dot wright at hp dot com
` (2 preceding siblings ...)
2009-09-23 0:12 ` john dot wright at hp dot com
@ 2009-09-23 17:27 ` cvs-commit at gcc dot gnu dot org
2009-09-23 17:33 ` cvs-commit at gcc dot gnu dot org
2009-09-23 17:34 ` tromey at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu dot org @ 2009-09-23 17:27 UTC (permalink / raw)
To: gdb-prs
------- Additional Comments From cvs-commit at gcc dot gnu dot org 2009-09-23 17:27 -------
Subject: Bug 10684
CVSROOT: /cvs/src
Module name: src
Changes by: tromey@sourceware.org 2009-09-23 17:27:39
Modified files:
gdb : ChangeLog event-top.c
Log message:
2009-09-23 John Wright <john.wright@hp.com>
PR gdb/10684:
* event-top.c (command_line_handler): Terminate linebuffer before
xstrdup.
Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gdb/ChangeLog.diff?cvsroot=src&r1=1.10901&r2=1.10902
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gdb/event-top.c.diff?cvsroot=src&r1=1.68&r2=1.69
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10684
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/10684] gdb crashes when given enough multiline input
2009-09-22 23:45 [Bug gdb/10684] New: gdb crashes when given enough multiline input john dot wright at hp dot com
` (3 preceding siblings ...)
2009-09-23 17:27 ` cvs-commit at gcc dot gnu dot org
@ 2009-09-23 17:33 ` cvs-commit at gcc dot gnu dot org
2009-09-23 17:34 ` tromey at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu dot org @ 2009-09-23 17:33 UTC (permalink / raw)
To: gdb-prs
------- Additional Comments From cvs-commit at gcc dot gnu dot org 2009-09-23 17:33 -------
Subject: Bug 10684
CVSROOT: /cvs/src
Module name: src
Branch: gdb_7_0-branch
Changes by: tromey@sourceware.org 2009-09-23 17:33:06
Modified files:
gdb : ChangeLog event-top.c
Log message:
2009-09-23 John Wright <john.wright@hp.com>
PR gdb/10684:
* event-top.c (command_line_handler): Terminate linebuffer before
xstrdup.
Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gdb/ChangeLog.diff?cvsroot=src&only_with_tag=gdb_7_0-branch&r1=1.10874.2.19&r2=1.10874.2.20
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gdb/event-top.c.diff?cvsroot=src&only_with_tag=gdb_7_0-branch&r1=1.68&r2=1.68.4.1
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10684
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/10684] gdb crashes when given enough multiline input
2009-09-22 23:45 [Bug gdb/10684] New: gdb crashes when given enough multiline input john dot wright at hp dot com
` (4 preceding siblings ...)
2009-09-23 17:33 ` cvs-commit at gcc dot gnu dot org
@ 2009-09-23 17:34 ` tromey at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: tromey at redhat dot com @ 2009-09-23 17:34 UTC (permalink / raw)
To: gdb-prs
------- Additional Comments From tromey at redhat dot com 2009-09-23 17:34 -------
Thanks, I checked in your patch.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution| |FIXED
Target Milestone|6.8 |6.9
http://sourceware.org/bugzilla/show_bug.cgi?id=10684
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-09-23 17:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-09-22 23:45 [Bug gdb/10684] New: gdb crashes when given enough multiline input john dot wright at hp dot com
2009-09-22 23:55 ` [Bug gdb/10684] " john dot wright at hp dot com
2009-09-23 0:05 ` john dot wright at hp dot com
2009-09-23 0:12 ` john dot wright at hp dot com
2009-09-23 17:27 ` cvs-commit at gcc dot gnu dot org
2009-09-23 17:33 ` cvs-commit at gcc dot gnu dot org
2009-09-23 17:34 ` tromey at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).