[2/3] Fix buffer underflow in add_path

Message ID 20210503193206.4008066-3-tromey@adacore.com
State New
Headers show
Series
  • Fix some sanitizer errors
Related show

Commit Message

Tom Tromey May 3, 2021, 7:32 p.m.
Address sanitizer pointed out a buglet in source.c:add_path.
In this test, from gdb.base/source-dir.exp:

    (gdb) set directories :/foo:/bar

... 'p[-1]' will result in a buffer underflow.
This patch fixes the bug by introducing a new check.

gdb/ChangeLog
2021-05-03  Tom Tromey  <tromey@adacore.com>

	* source.c (add_path): Check 'p' before using 'p[-1]'.
---
 gdb/ChangeLog | 4 ++++
 gdb/source.c  | 1 +
 2 files changed, 5 insertions(+)

-- 
2.26.3

Comments

Tom de Vries May 6, 2021, 2:53 p.m. | #1
On 5/3/21 9:32 PM, Tom Tromey wrote:
> Address sanitizer pointed out a buglet in source.c:add_path.

> In this test, from gdb.base/source-dir.exp:

> 

>     (gdb) set directories :/foo:/bar

> 

> ... 'p[-1]' will result in a buffer underflow.

> This patch fixes the bug by introducing a new check.

> 


I also ran into this and came up with the same solution.  LGTM.

Thanks,
- Tom

> gdb/ChangeLog

> 2021-05-03  Tom Tromey  <tromey@adacore.com>

> 

> 	* source.c (add_path): Check 'p' before using 'p[-1]'.

> ---

>  gdb/ChangeLog | 4 ++++

>  gdb/source.c  | 1 +

>  2 files changed, 5 insertions(+)

> 

> diff --git a/gdb/source.c b/gdb/source.c

> index 6fc27ae72f7..b6dab6eb236 100644

> --- a/gdb/source.c

> +++ b/gdb/source.c

> @@ -537,6 +537,7 @@ add_path (const char *dirname, char **which_path, int parse_separators)

>        /* On MS-DOS and MS-Windows, h:\ is different from h: */

>  	     && !(p == name + 3 && name[1] == ':')		/* "d:/" */

>  #endif

> +	     && p > name

>  	     && IS_DIR_SEPARATOR (p[-1]))

>  	/* Sigh.  "foo/" => "foo" */

>  	--p;

>

Patch

diff --git a/gdb/source.c b/gdb/source.c
index 6fc27ae72f7..b6dab6eb236 100644
--- a/gdb/source.c
+++ b/gdb/source.c
@@ -537,6 +537,7 @@  add_path (const char *dirname, char **which_path, int parse_separators)
       /* On MS-DOS and MS-Windows, h:\ is different from h: */
 	     && !(p == name + 3 && name[1] == ':')		/* "d:/" */
 #endif
+	     && p > name
 	     && IS_DIR_SEPARATOR (p[-1]))
 	/* Sigh.  "foo/" => "foo" */
 	--p;