mirror of
https://sourceware.org/git/binutils-gdb.git
synced 2025-01-06 12:09:26 +08:00
6ab5b6d0f3
An off-by-one bug in the check for pptrtab lookup meant that we could access the pptrtab past its bounds (*well* past its bounds), particularly if we called ctf_lookup_by_name in a child dict with "*foo" where "foo" is a type that exists in the parent but not the child and no previous lookups by name have been carried out. (Note that "*foo" is not even a valid thing to call ctf_lookup_by_name with: foo * is. Nonetheless, users sometimes do call ctf_lookup_by_name with invalid content, and it should return ECTF_NOTYPE, not crash.) ctf_pptrtab_len, as its name suggests (and as other tests of it in ctf-lookup.c confirm), is one higher than the maximum valid permissible index, so the comparison is wrong. (Test added, which should fail pretty reliably in the presence of this bug on any machine with 4KiB pages.) libctf/ChangeLog 2021-09-27 Nick Alcock <nick.alcock@oracle.com> * ctf-lookup.c (ctf_lookup_by_name_internal): Fix pptrtab bounds. * testsuite/libctf-writable/pptrtab-writable-page-deep-lookup.*: New test. |
||
---|---|---|
.. | ||
testsuite | ||
.gitignore | ||
aclocal.m4 | ||
ChangeLog | ||
ChangeLog-2020 | ||
config.h.in | ||
configure | ||
configure.ac | ||
ctf-archive.c | ||
ctf-create.c | ||
ctf-decl.c | ||
ctf-decls.h | ||
ctf-dedup.c | ||
ctf-dump.c | ||
ctf-endian.h | ||
ctf-error.c | ||
ctf-hash.c | ||
ctf-impl.h | ||
ctf-inlines.h | ||
ctf-intl.h | ||
ctf-labels.c | ||
ctf-link.c | ||
ctf-lookup.c | ||
ctf-open-bfd.c | ||
ctf-open.c | ||
ctf-qsort_r.c | ||
ctf-serialize.c | ||
ctf-sha1.c | ||
ctf-sha1.h | ||
ctf-string.c | ||
ctf-subr.c | ||
ctf-types.c | ||
ctf-util.c | ||
elf.h | ||
libctf.ver | ||
Makefile.am | ||
Makefile.in | ||
NEWS | ||
swap.h |