From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 444523858417; Sun, 28 May 2023 08:18:03 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 444523858417 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1685261883; bh=tgNaGmtZO8SOvDZf5lqHaAbiNiUVKSSsDmKv2GBrms8=; h=From:To:Subject:Date:In-Reply-To:References:From; b=jHGdFbqELThQ5UG+3TlWn59hamFjR+nZtro2ipSEZhNmZSzmHzfWZe5Kpvo6bS1zU 78qZHvjMZ6nDKaggVIkpnH6sD19sXr2Y3yiArF5A4Ap1lclHvmU5B2C5ABvLOug5DF kM0K21Sdlj0LQJH6vrFGmM457EzLCW+h09cUe/TA= From: "cvs-commit at gcc dot gnu.org" To: gdb-prs@sourceware.org Subject: [Bug tui/30056] double free when using reverse-search for a previous command and Ctrl-C Date: Sun, 28 May 2023 08:17:52 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: tui X-Bugzilla-Version: 12.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30056 --- Comment #8 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Tom de Vries : https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3D85f4cf41a852= b5983ca436615a019315f6dc7301 commit 85f4cf41a852b5983ca436615a019315f6dc7301 Author: Tom de Vries Date: Sun May 28 10:17:57 2023 +0200 [readline] Fix double free in _rl_scxt_dispose Consider the following scenario. We start gdb in TUI mode: ... $ gdb -q -tui ... and type ^R which gives us the reverse-isearch prompt in the cmd window: ... (reverse-i-search)`': ... and then type "foo", right-arrow-key, and ^C. In TUI mode, gdb uses a custom rl_getc_function tui_getc. When pressing the right-arrow-key, tui_getc: - attempts to scroll the TUI src window, without any effect, and - returns 0. The intention of returning 0 is mentioned here in tui_dispatch_ctrl_cha= r: ... /* We intercepted the control character, so return 0 (which readline will interpret as a no-op). */ return 0; ... However, after this 0 is returned by the rl_read_key () call in _rl_search_getchar, _rl_read_mbstring is called, which incorrectly interprets 0 as the first part of an utf-8 multibyte char, and tries to read the n= ext char. In this state, the ^C takes effect and we run into a double free because _rl_isearch_cleanup is called twice. Both these issues need fixing independently, though after fixing the fi= rst we no longer trigger the second. The first issue is caused by the subtle difference between: - a char array containing 0 chars, which is zero-terminated, and - a char array containing 1 char, which is zero. In mbrtowc terms, this is the difference between: ... mbrtowc (&wc, "", 0, &ps); ... which returns -2, and: ... mbrtowc (&wc, "", 1, &ps); ... which returns 0. Note that _rl_read_mbstring calls _rl_get_char_len without passing it an explicit length parameter, and consequently it cannot distinguish betwe= en the two, and defaults to the "0 chars" choice. Note that the same problem doesn't exist in _rl_read_mbchar. Fix this by defaulting to the "1 char" choice in _rl_get_char_len: ... - if (_rl_utf8locale && l > 0 && UTF8_SINGLEBYTE(*src)) + if (_rl_utf8locale && l >=3D 0 && UTF8_SINGLEBYTE(*src)) ... The second problem happens when the call to _rl_search_getchar in _rl_isearch_callback returns. At that point _rl_isearch_cleanup has already been called from the signal handler, but we proceed regardless, using a= cxt pointer that has been freed. Fix this by checking for "RL_ISSTATE (RL_STATE_ISEARCH)" after the call= to _rl_search_getchar: ... c =3D _rl_search_getchar (cxt); + if (!RL_ISSTATE (RL_STATE_ISEARCH)) + return 1; ... Tested on x86_64-linux. Approved-By: Chet Ramey PR tui/30056 Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30056 --=20 You are receiving this mail because: You are on the CC list for the bug.=