[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-readline] heap-buffer-overflow in update_line
From: |
Tom de Vries |
Subject: |
Re: [Bug-readline] heap-buffer-overflow in update_line |
Date: |
Thu, 23 May 2019 21:28:45 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 |
On 23-05-19 14:38, Chet Ramey wrote:
> On 5/23/19 3:33 AM, Tom de Vries wrote:
>
>> Using this additional bit:
>> ...
>> @@ -528,6 +533,8 @@ rl_redisplay ()
>> init_line_structures (0);
>> rl_on_new_line ();
>> }
>> + else if (line_size <= _rl_screenwidth)
>> + init_line_structures (_rl_screenwidth + 1);
>>
>> /* Draw the line into the buffer. */
>> cpos_buffer_position = -1;
>> ...
>> I managed to fix the assert also in this scenario, and managed to run
>> the entire gdb testsuite without triggering the assert.
>>
>> Is that a good code change?
>
> It looks like it will solve that problem, and perhaps more. Thanks for the
> patch.
I did a further test-run to see if the original problem (PR24514 -
heap-buffer-overflow in update_line for utf8-identifiers.exp:
https://sourceware.org/bugzilla/show_bug.cgi?id=24514 ) was fixed, which
turned out not to be the case.
I've analyzed this, and found it to be caused by the
init_line_structures part of the patch changing line_size, which does
not force a reallloc. I've fixed this by changing minsize instead.
Attached patch passes gdb regression testsuite with the assert enabled,
and with gdb build with -fsanitize=address.
Thanks,
- Tom
tentative
---
readline/display.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/readline/display.c b/readline/display.c
index 712ca79b6d..f34ad05444 100644
--- a/readline/display.c
+++ b/readline/display.c
@@ -452,6 +452,9 @@ init_line_structures (minsize)
{
register int n;
+ if (minsize <= _rl_screenwidth) /* XXX - for gdb */
+ minsize = _rl_screenwidth + 1;
+
if (invisible_line == 0) /* initialize it */
{
if (line_size < minsize)
@@ -528,6 +531,8 @@ rl_redisplay ()
init_line_structures (0);
rl_on_new_line ();
}
+ else if (line_size <= _rl_screenwidth)
+ init_line_structures (_rl_screenwidth + 1);
/* Draw the line into the buffer. */
cpos_buffer_position = -1;
- [Bug-readline] heap-buffer-overflow in update_line, Tom de Vries, 2019/05/08
- Re: [Bug-readline] heap-buffer-overflow in update_line, Chet Ramey, 2019/05/16
- Re: [Bug-readline] heap-buffer-overflow in update_line, Tom de Vries, 2019/05/17
- Re: [Bug-readline] heap-buffer-overflow in update_line, Chet Ramey, 2019/05/17
- Re: [Bug-readline] heap-buffer-overflow in update_line, Chet Ramey, 2019/05/20
- Re: [Bug-readline] heap-buffer-overflow in update_line, Tom de Vries, 2019/05/23
- Re: [Bug-readline] heap-buffer-overflow in update_line, Chet Ramey, 2019/05/23
- Re: [Bug-readline] heap-buffer-overflow in update_line,
Tom de Vries <=
- Re: [Bug-readline] heap-buffer-overflow in update_line, Chet Ramey, 2019/05/24