This is the mail archive of the
gdb-patches@sources.redhat.com
mailing list for the GDB project.
Re: [patch] read_command_lines can return freed memory
- To: Eirik Fuller <eirik at hackrat dot com>
- Subject: Re: [patch] read_command_lines can return freed memory
- From: Fernando Nasser <fnasser at redhat dot com>
- Date: Fri, 15 Jun 2001 10:57:28 -0400
- CC: gdb-patches at sourceware dot cygnus dot com
- Organization: Red Hat Canada
- References: <20010615080029.8484D40014@hackrat.com>
Nice catch Eirik. Thanks.
I guess this has gone unnoticed for so long because it only happens when
a control structure first line is invalid. Anyway, we should think of a
more contrived example to create a test case...
W.r.t. the fix, I believe the missing pointer reset is in
free_command_lines(). I guess that was the creator's intention as the
argument implies that it will be modified (it is passed by reference).
Please try the attached patch.
Regards,
Fernando
Eirik Fuller wrote:
>
> When sourcing a script file with improperly nested control statments,
> gdb can store a pointer to freed memory in a cmd_list_element struct,
> which can cause subsequent crashes. One test case is to source this
> script file twice:
>
> define fp
> set $frame = (long *) $arg0
> while $frame[0] > $frame
> printf "%08x: %08x %08x\n", $frame, $frame[0], $frame[1]
> if $frame[1]
> if ((uchar **)$frame)[1][-5] == 0xe8
> x/i $frame[1] - 5
> else
> if ((uchar **)$frame)[1][-2] == 0xff
> x/i $frame[1] - 2
> else
> x/i $frame[1]
> # end
> end
> else
> x/i $frame[2]
> end
> set $frame = (long *) $frame[0]
> end
> end
>
> Removing the # results in a script file which can be sourced with no
> errors. The patch included here prevents the crash. Here's a
> ChangeLog entry:
>
> 2001-06-15 Eirik Fuller <eirik@hackrat.com>
>
> * cli/cli-script.c (read_command_lines): Don't return freed
> memory.
>
> Here's the patch:
>
> --- gdb+dejagnu-20010615/gdb/cli/cli-script.c- Tue Mar 13 14:29:14 2001
> +++ gdb+dejagnu-20010615/gdb/cli/cli-script.c Thu Jun 14 22:53:17 2001
> @@ -995,7 +995,10 @@
> discard_cleanups (old_chain);
> }
> else
> - do_cleanups (old_chain);
> + {
> + do_cleanups (old_chain);
> + head = NULL;
> + }
> }
>
> if (readline_end_hook)
--
Fernando Nasser
Red Hat Canada Ltd. E-Mail: fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9
Index: cli/cli-script.c
===================================================================
RCS file: /cvs/src/src/gdb/cli/cli-script.c,v
retrieving revision 1.6
diff -c -p -r1.6 cli-script.c
*** cli-script.c 2001/03/13 22:29:14 1.6
--- cli-script.c 2001/06/15 14:53:13
*************** free_command_lines (struct command_line
*** 1028,1033 ****
--- 1028,1034 ----
xfree (l);
l = next;
}
+ *lptr = NULL;
}
static void