[Bug gdb/24514] New: heap-buffer-overflow in update_line for utf8-identifiers.exp

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug gdb/24514] New: heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

            Bug ID: 24514
           Summary: heap-buffer-overflow in update_line for
                    utf8-identifiers.exp
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: vries at gcc dot gnu.org
  Target Milestone: ---

If I build gdb with -fsanitize=address and run tests with "export
ASAN_OPTIONS=detect_leaks=0", I run into a heap-buffer-overflow failure for
gdb.base/utf8-identifiers.exp:
...
=================================================================
==22340==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x619000054a80 at pc 0x7fcd0306b4c9 bp 0x7fffb1a8d880 sp 0x7fffb1a8d030
READ of size 32766 at 0x619000054a80 thread T0
    #0 0x7fcd0306b4c8  (/usr/lib64/libasan.so.4+0xae4c8)
    #1 0x15f12a1 in update_line
/data/gdb_versions/devel/src/readline/display.c:1377
    #2 0x15f03cb in rl_redisplay
/data/gdb_versions/devel/src/readline/display.c:1204
    #3 0x15bf932 in readline_internal_setup
/data/gdb_versions/devel/src/readline/readline.c:394
    #4 0x15fe723 in _rl_callback_newline
/data/gdb_versions/devel/src/readline/callback.c:89
    #5 0x15fe7ef in rl_callback_handler_install
/data/gdb_versions/devel/src/readline/callback.c:102
    #6 0xd7bce6 in gdb_rl_callback_handler_install(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:319
    #7 0xd7c0c6 in display_gdb_prompt(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:409
    #8 0xd7d6c1 in command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) /data/gdb_versions/devel/src/gdb/event-top.c:776
    #9 0xd7b92a in gdb_rl_callback_handler
/data/gdb_versions/devel/src/gdb/event-top.c:217
    #10 0x15ff479 in rl_callback_read_char
/data/gdb_versions/devel/src/readline/callback.c:220
    #11 0xd7b4d5 in gdb_rl_callback_read_char_wrapper_noexcept
/data/gdb_versions/devel/src/gdb/event-top.c:175
    #12 0xd7b6b5 in gdb_rl_callback_read_char_wrapper
/data/gdb_versions/devel/src/gdb/event-top.c:192
    #13 0xd7c8aa in stdin_event_handler(int, void*)
/data/gdb_versions/devel/src/gdb/event-top.c:514
    #14 0xd76ca7 in handle_file_event
/data/gdb_versions/devel/src/gdb/event-loop.c:731
    #15 0xd7751f in gdb_wait_for_event
/data/gdb_versions/devel/src/gdb/event-loop.c:857
    #16 0xd7547e in gdb_do_one_event()
/data/gdb_versions/devel/src/gdb/event-loop.c:321
    #17 0xd75526 in start_event_loop()
/data/gdb_versions/devel/src/gdb/event-loop.c:370
    #18 0x101b04c in captured_command_loop
/data/gdb_versions/devel/src/gdb/main.c:331
    #19 0x101de73 in captured_main /data/gdb_versions/devel/src/gdb/main.c:1173
    #20 0x101df03 in gdb_main(captured_main_args*)
/data/gdb_versions/devel/src/gdb/main.c:1188
    #21 0x872dba in main /data/gdb_versions/devel/src/gdb/gdb.c:32
    #22 0x7fcd00f2ff49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
    #23 0x872bc9 in _start (/data/gdb_versions/devel/build/gdb/gdb+0x872bc9)

0x619000054a80 is located 0 bytes to the right of 1024-byte region
[0x619000054680,0x619000054a80)
allocated by thread T0 here:
    #0 0x7fcd03099510 in malloc (/usr/lib64/libasan.so.4+0xdc510)
    #1 0xae0078 in xmalloc
/data/gdb_versions/devel/src/gdb/common/common-utils.c:44
    #2 0x15eaccb in init_line_structures
/data/gdb_versions/devel/src/readline/display.c:458
    #3 0x15eb4d8 in rl_redisplay
/data/gdb_versions/devel/src/readline/display.c:526
    #4 0x15bf932 in readline_internal_setup
/data/gdb_versions/devel/src/readline/readline.c:394
    #5 0x15fe723 in _rl_callback_newline
/data/gdb_versions/devel/src/readline/callback.c:89
    #6 0x15fe7ef in rl_callback_handler_install
/data/gdb_versions/devel/src/readline/callback.c:102
    #7 0xd7bce6 in gdb_rl_callback_handler_install(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:319
    #8 0xd7c0c6 in display_gdb_prompt(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:409
    #9 0xaa041b in cli_interp_base::pre_command_loop()
/data/gdb_versions/devel/src/gdb/cli/cli-interp.c:286
    #10 0xf5342a in interp_pre_command_loop(interp*)
/data/gdb_versions/devel/src/gdb/interps.c:320
    #11 0x101b047 in captured_command_loop
/data/gdb_versions/devel/src/gdb/main.c:328
    #12 0x101de73 in captured_main /data/gdb_versions/devel/src/gdb/main.c:1173
    #13 0x101df03 in gdb_main(captured_main_args*)
/data/gdb_versions/devel/src/gdb/main.c:1188
    #14 0x872dba in main /data/gdb_versions/devel/src/gdb/gdb.c:32
    #15 0x7fcd00f2ff49 in __libc_start_main (/lib64/libc.so.6+0x20f49)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib64/libasan.so.4+0xae4c8)
Shadow bytes around the buggy address:
  0x0c3280002900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280002950:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c32800029a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22340==ABORTING
...

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug gdb/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

--- Comment #1 from Tom de Vries <vries at gcc dot gnu.org> ---
I've translated the heap-buffer-overflow into a pair of asserts:
...
diff --git a/readline/display.c b/readline/display.c
index 9044305797..da3176cc3c 100644
--- a/readline/display.c
+++ b/readline/display.c
@@ -59,6 +59,8 @@
 #include "rlprivate.h"
 #include "xmalloc.h"

+#include "assert.h"
+
 #if !defined (strchr) && !defined (__STDC__)
 extern char *strchr (), *strrchr ();
 #endif /* !strchr && !__STDC__ */
@@ -1201,6 +1203,10 @@ rl_redisplay ()
          forced_display = 0;
          o_cpos = _rl_last_c_pos;
          cpos_adjusted = 0;
+         assert (last_lmargin + (_rl_screenwidth + visible_wrap_offset)
+                 <= line_size);
+         assert (lmargin + (_rl_screenwidth + (lmargin ? 0 : wrap_offset))
+                 <= line_size);
          update_line (&visible_line[last_lmargin],
                       &invisible_line[lmargin],
                       0,
                       _rl_screenwidth + visible_wrap_offset,
                       _rl_screenwidth + (lmargin ? 0 : wrap_offset),
                       0);
...

And it triggers standalone (that is, outside the testsuite) a follows:
...
$ TERM=dumb gdb -q -ex "set width 0"
gdb: /data/gdb_versions/devel/src/readline/display.c:1207: rl_redisplay:
Assertion `last_lmargin + (_rl_screenwidth + visible_wrap_offset) <= line_size'
failed.
Aborted (core dumped)
...

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug gdb/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

--- Comment #2 from Tom de Vries <vries at gcc dot gnu.org> ---
Filed PR at [hidden email] titled "heap-buffer-overflow in update_line".
No link yet.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug gdb/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

--- Comment #3 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #2)
> Filed PR at [hidden email] titled "heap-buffer-overflow in
> update_line". No link yet.

https://lists.gnu.org/archive/html/bug-readline/2019-05/msg00001.html

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug gdb/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |palves at redhat dot com

--- Comment #4 from Tom de Vries <vries at gcc dot gnu.org> ---
Reply at https://lists.gnu.org/archive/html/bug-readline/2019-05/msg00005.html
:
...
On 5/8/19 4:10 PM, Tom de Vries wrote:

> Hi,
>
> when:
> - building trunk gdb (using the readline sources in the binutils-gdb.git
>   repo) on openSUSE 15.0 x86_64-linux with -fsanitize=address, and:
> - running gdb tests with "export ASAN_OPTIONS=detect_leaks=0",
> I run into a heap-buffer-overflow failure for
> gdb.base/utf8-identifiers.exp, reported as PR gdb/24514 -
> "heap-buffer-overflow in update_line for utf8-identifiers.exp"  at
> https://sourceware.org/bugzilla/show_bug.cgi?id=24514 .

                        [...]

> which triggers without needing the address sanitizer, like this:
> ...
> $ TERM=dumb gdb -q -ex "set width 0"
> gdb: /home/vries/readline/src/display.c:1393: rl_redisplay: Assertion
> `last_lmargin + (_rl_screenwidth + visible_wrap_offset) <= line_size'
> failed.
> Aborted (core dumped)

This looks like the same problem as described in

http://lists.gnu.org/archive/html/bug-readline/2019-03/msg00001.html

In this case, gdb sets the screen width to 32766, which is obviously
bonkers on a dumb terminal. Gdb should pass -1 to rl_set_screen_size
so readline doesn't override the number of columns on the physical
terminal.

I can look at making the redisplay code more resilent in the face of
huge values, but I'm sure there are a few places where it makes some
assumptions.
...

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug gdb/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

--- Comment #5 from Tom de Vries <vries at gcc dot gnu.org> ---
Tentative patch (using the bits in both init_line_structures and rl_redisplay)
here ( https://sourceware.org/ml/gdb-patches/2019-05/msg00532.html ).

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug gdb/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

--- Comment #6 from Tom de Vries <vries at gcc dot gnu.org> ---
Created attachment 11800
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11800&action=edit
Tentative patch

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug gdb/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

--- Comment #7 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #6)
> Created attachment 11800 [details]
> Tentative patch

Curiously, the patch fixes the assert (comment 1), but the original problem
(comment 0) still happens.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug cli/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|gdb                         |cli

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug cli/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

--- Comment #8 from Tom de Vries <vries at gcc dot gnu.org> ---
patch submitted: https://sourceware.org/ml/gdb-patches/2019-05/msg00578.html

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug cli/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tom de Vries <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=830b67068cebe7db0eb0db3fa19244e03859fae0

commit 830b67068cebe7db0eb0db3fa19244e03859fae0
Author: Tom de Vries <[hidden email]>
Date:   Fri Jul 12 09:53:02 2019 +0200

    [readline] Fix heap-buffer-overflow in update_line

    When:
    - building trunk gdb with '-fsanitize=address -lasan',
    - running gdb tests with "export ASAN_OPTIONS=detect_leaks=0",
    I run into a heap-buffer-overflow failure for
    gdb.base/utf8-identifiers.exp.

    In more detail, the libasan error report looks like this:
    ...
    =================================================================
    ==22340==ERROR: AddressSanitizer: heap-buffer-overflow on address
    0x619000054a80 at pc 0x7fcd0306b4c9 bp 0x7fffb1a8d880 sp 0x7fffb1a8d030
    READ of size 32766 at 0x619000054a80 thread T0
        #0 0x7fcd0306b4c8  (/usr/lib64/libasan.so.4+0xae4c8)
        #1 0x15f12a1 in update_line
    /data/gdb_versions/devel/src/readline/display.c:1377
        #2 0x15f03cb in rl_redisplay
    /data/gdb_versions/devel/src/readline/display.c:1204
        #3 0x15bf932 in readline_internal_setup
    /data/gdb_versions/devel/src/readline/readline.c:394
        #4 0x15fe723 in _rl_callback_newline
    /data/gdb_versions/devel/src/readline/callback.c:89
        #5 0x15fe7ef in rl_callback_handler_install
    /data/gdb_versions/devel/src/readline/callback.c:102
        #6 0xd7bce6 in gdb_rl_callback_handler_install(char const*)
    /data/gdb_versions/devel/src/gdb/event-top.c:319
        #7 0xd7c0c6 in display_gdb_prompt(char const*)
    /data/gdb_versions/devel/src/gdb/event-top.c:409
        #8 0xd7d6c1 in command_line_handler(std::unique_ptr<char,
    gdb::xfree_deleter<char> >&&)
    /data/gdb_versions/devel/src/gdb/event-top.c:776
        #9 0xd7b92a in gdb_rl_callback_handler
    /data/gdb_versions/devel/src/gdb/event-top.c:217
        #10 0x15ff479 in rl_callback_read_char
    /data/gdb_versions/devel/src/readline/callback.c:220
        #11 0xd7b4d5 in gdb_rl_callback_read_char_wrapper_noexcept
    /data/gdb_versions/devel/src/gdb/event-top.c:175
        #12 0xd7b6b5 in gdb_rl_callback_read_char_wrapper
    /data/gdb_versions/devel/src/gdb/event-top.c:192
        #13 0xd7c8aa in stdin_event_handler(int, void*)
    /data/gdb_versions/devel/src/gdb/event-top.c:514
        #14 0xd76ca7 in handle_file_event
    /data/gdb_versions/devel/src/gdb/event-loop.c:731
        #15 0xd7751f in gdb_wait_for_event
    /data/gdb_versions/devel/src/gdb/event-loop.c:857
        #16 0xd7547e in gdb_do_one_event()
    /data/gdb_versions/devel/src/gdb/event-loop.c:321
        #17 0xd75526 in start_event_loop()
    /data/gdb_versions/devel/src/gdb/event-loop.c:370
        #18 0x101b04c in captured_command_loop
    /data/gdb_versions/devel/src/gdb/main.c:331
        #19 0x101de73 in captured_main
    /data/gdb_versions/devel/src/gdb/main.c:1173
        #20 0x101df03 in gdb_main(captured_main_args*)
    /data/gdb_versions/devel/src/gdb/main.c:1188
        #21 0x872dba in main /data/gdb_versions/devel/src/gdb/gdb.c:32
        #22 0x7fcd00f2ff49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
        #23 0x872bc9 in _start
(/data/gdb_versions/devel/build/gdb/gdb+0x872bc9)

    0x619000054a80 is located 0 bytes to the right of 1024-byte region
    [0x619000054680,0x619000054a80)
    allocated by thread T0 here:
        #0 0x7fcd03099510 in malloc (/usr/lib64/libasan.so.4+0xdc510)
        #1 0xae0078 in xmalloc
    /data/gdb_versions/devel/src/gdb/common/common-utils.c:44
        #2 0x15eaccb in init_line_structures
    /data/gdb_versions/devel/src/readline/display.c:458
        #3 0x15eb4d8 in rl_redisplay
    /data/gdb_versions/devel/src/readline/display.c:526
        #4 0x15bf932 in readline_internal_setup
    /data/gdb_versions/devel/src/readline/readline.c:394
        #5 0x15fe723 in _rl_callback_newline
    /data/gdb_versions/devel/src/readline/callback.c:89
        #6 0x15fe7ef in rl_callback_handler_install
    /data/gdb_versions/devel/src/readline/callback.c:102
        #7 0xd7bce6 in gdb_rl_callback_handler_install(char const*)
    /data/gdb_versions/devel/src/gdb/event-top.c:319
        #8 0xd7c0c6 in display_gdb_prompt(char const*)
    /data/gdb_versions/devel/src/gdb/event-top.c:409
        #9 0xaa041b in cli_interp_base::pre_command_loop()
    /data/gdb_versions/devel/src/gdb/cli/cli-interp.c:286
        #10 0xf5342a in interp_pre_command_loop(interp*)
    /data/gdb_versions/devel/src/gdb/interps.c:320
        #11 0x101b047 in captured_command_loop
    /data/gdb_versions/devel/src/gdb/main.c:328
        #12 0x101de73 in captured_main
    /data/gdb_versions/devel/src/gdb/main.c:1173
        #13 0x101df03 in gdb_main(captured_main_args*)
    /data/gdb_versions/devel/src/gdb/main.c:1188
        #14 0x872dba in main /data/gdb_versions/devel/src/gdb/gdb.c:32
        #15 0x7fcd00f2ff49 in __libc_start_main (/lib64/libc.so.6+0x20f49)

    SUMMARY: AddressSanitizer: heap-buffer-overflow
    (/usr/lib64/libasan.so.4+0xae4c8)
    Shadow bytes around the buggy address:
      0x0c3280002900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280002910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280002920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280002930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280002940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c3280002950:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3280002960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3280002970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280002980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280002990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c32800029a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==22340==ABORTING
    ...

    I've written an assert in rl_redisplay that formulates the error condition:
    ...
    @@ -1387,6 +1389,10 @@ rl_redisplay (void)
              cpos_adjusted = 0;
    +         assert (last_lmargin + (_rl_screenwidth + visible_wrap_offset)
    +                 <= line_size);
    +         assert (lmargin + (_rl_screenwidth + (lmargin ? 0 : wrap_offset))
    +                 <= line_size);
              update_line (&visible_line[last_lmargin],
                           &invisible_line[lmargin],
                           0,
                           _rl_screenwidth + visible_wrap_offset,
                           _rl_screenwidth + (lmargin ? 0 : wrap_offset),
                           0);
    ...
    which triggers without needing the address sanitizer (or even an
executable),
    like this:
    ...
    $ TERM=dumb gdb -q -ex "set width 0"
    gdb: src/display.c:1393: rl_redisplay: Assertion
    `last_lmargin + (_rl_screenwidth + visible_wrap_offset) <= line_size'
    failed.
    Aborted (core dumped)
    ...

    The basic problem is this: visible_line and invisible_line have length
    line_size, but the update_line call assumes that line_size is at least
    _rl_screenwidth + 1.  Executing "set width 0" sets _rl_screenwidth to 32766
but
    doesn't affect line_size, which is initialized to 1024.

    Fix this by ensuring in init_line_structures and rl_redisplay that
line_size
    is at least _rl_screenwidth + 1.

    Tested on x86_64-linux.

    Reviewed by readline maintainer (
    https://sourceware.org/ml/gdb-patches/2019-05/msg00566.html ).

    readline/ChangeLog.gdb:

    2019-07-12  Tom de Vries  <[hidden email]>
            Chet Ramey  <[hidden email]>

        PR cli/24514
        * readline/display.c (init_line_structures, rl_redisplay): Ensure
        line_size is at least _rl_screenwidth + 1.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug cli/24514] heap-buffer-overflow in update_line for utf8-identifiers.exp

Martin.Jansa at gmail dot com
In reply to this post by Martin.Jansa at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24514

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #10 from Tom de Vries <vries at gcc dot gnu.org> ---
The bug report is submitted upstream, the patch accepted upstream, and the fix
is applied locally.  Nothing left to do, marking resolved-fixed.

--
You are receiving this mail because:
You are on the CC list for the bug.