[gdb/ada] Handle shrink resize in replace_operator_with_call

In replace_operator_with_call, we resize the elts array like this: ... exp->nelts = exp->nelts + 7 - oplen; exp->resize (exp->nelts); ... Although all the current callers ensure that the new size is bigger, it could also be smaller, in which case the following memmove possibly reads out of bounds: ... memmove (exp->elts + pc + 7, exp->elts + pc + oplen, EXP_ELEM_TO_BYTES (save_nelts - pc - oplen)); ... Fix this by doing the resize after the memmove in case the new size is smaller. Tested on x86_64-linux. gdb/ChangeLog: 2020-12-07 Tom de Vries <tdevries@suse.de> * ada-lang.c (replace_operator_with_call): Handle shrink resize.
2025-06-01 11:59:27 +08:00 · 2020-12-07 09:07:32 +01:00
parent 00158a68d1
commit f51f9f1d03
2 changed files with 10 additions and 2 deletions
--- a/gdb/ada-lang.c
+++ b/gdb/ada-lang.c
@ -4005,11 +4005,15 @@ replace_operator_with_call (expression_up *expp, int pc, int nargs,
     expression.  */
  struct expression *exp = expp->get ();
  int save_nelts = exp->nelts;
-  exp->nelts = exp->nelts + 7 - oplen;
-  exp->resize (exp->nelts);
+  int extra_elts = 7 - oplen;
+  exp->nelts += extra_elts;

+  if (extra_elts > 0)
+    exp->resize (exp->nelts);
  memmove (exp->elts + pc + 7, exp->elts + pc + oplen,
 	   EXP_ELEM_TO_BYTES (save_nelts - pc - oplen));
+  if (extra_elts < 0)
+    exp->resize (exp->nelts);

  exp->elts[pc].opcode = exp->elts[pc + 2].opcode = OP_FUNCALL;
  exp->elts[pc + 1].longconst = (LONGEST) nargs;