From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 317D63856965; Tue, 15 Aug 2023 18:11:36 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 317D63856965 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1692123096; bh=SGCEar2WvCM4xFlXCLPS4tGeJQWTiut1Z6heR282VYI=; h=From:To:Subject:Date:In-Reply-To:References:From; b=rQt6sXGOm3XXjJITljuwpSPHXBmHTZWaFPfpvNbEVSlUXARsD9qLwJLGFhYseRWz6 P4W+tQ+U+Hc/IffnFVgFp62puFHzdBEQzM6VB8ft9v8PftFrYhBUHk07JiMAQW+eeP AIEqRlWrXNP3JE2gt/dIFrH0XAdPlPg7i1fQjItY= From: "keiths at redhat dot com" To: gdb-prs@sourceware.org Subject: [Bug gdb/30639] AddressSanitizer: dynamic-stack-buffer-overflow /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/ada-lang.c:1388:16 in ada_decode[abi:cxx11](char const*, bool, bool) Date: Tue, 15 Aug 2023 18:11:34 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: gdb X-Bugzilla-Version: 13.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: keiths at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cf_reconfirmed_on everconfirmed bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30639 Keith Seitz changed: What |Removed |Added ---------------------------------------------------------------------------- Last reconfirmed| |2023-08-15 Ever confirmed|0 |1 Status|UNCONFIRMED |NEW --- Comment #8 from Keith Seitz --- My apologies, this DOES reproduce (as Tom notes). The thing I ignored was ASAN. [The crash I reported was recently fixed by Alan Modra's "gdb: warn unused result for bfd IO functions".] [Probably TMI for Tom, but for anyone following along...] In process_coff_symbol, we are processing a symbol with name "44", i.e, just digits. The language of this objfile is language_unknown. process_coff_symbol calls general_symbol_info::compute_and_set_names. This eventually calls symbol_find_demangled_name with linkage_name_copy set to "44". Since the objfile's language is unknown, symbol_find_linkage_n= ame iterates over all languages, calling the language's sniff_from_mangled_name method. This does nothing for all the languages until it hits language_ada. ada_language::sniff_from_mangled immediately calls ada_decode. The code here essentially skips to the last block which attempts to remove trailing digits: 1370 /* Remove trailing __{digit}+ or trailing ${digit}+. */ 1371 1372 if (len0 > 1 && isdigit (encoded[len0 - 1])) 1373 { 1374 i =3D len0 - 2; 1375 while ((i >=3D 0 && isdigit (encoded[i])) 1376 || (i >=3D 1 && encoded[i] =3D=3D '_' && isdigit (encoded= [i - 1]))) 1377 i -=3D 1; 1378 if (i > 1 && encoded[i] =3D=3D '_' && encoded[i - 1] =3D=3D '_') 1379 len0 =3D i - 1; 1380 else if (encoded[i] =3D=3D '$') 1381 len0 =3D i; 1382 } When we get to 1372, len0 is strlen("44") which is 2. encoded[2 - 1] =3D "4= " is a digit, and we set i =3D len0 - 2 =3D 0. Now the while loop: i =3D=3D 0 and encoded[0] is "4", so that passes the fi= rst test, and we subtract 1 from i, setting it to -1. Now i is no longer >=3D 0 or >=3D 1, so the while loop escapes. Finally, we hit the final "else if" encoded[-1] =3D=3D '$' on line 1380, which causes the observed buffer overf= low. --=20 You are receiving this mail because: You are on the CC list for the bug.=