Mail Archives: djgpp/1998/02/17/03:01:43
From: | Martin DOT Stromberg AT lu DOT erisoft DOT se (Martin Stromberg)
|
Newsgroups: | comp.os.msdos.djgpp
|
Subject: | gdb crashing: found a bug in dbgcom.c
|
Date: | 17 Feb 1998 06:25:34 GMT
|
Organization: | Ericsson Erisoft AB, Sweden
|
Lines: | 36
|
Message-ID: | <6cbagu$3kd$1@antares.lu.erisoft.se>
|
NNTP-Posting-Host: | juno.lu.erisoft.se
|
To: | djgpp AT delorie DOT com
|
DJ-Gateway: | from newsgroup comp.os.msdos.djgpp
|
I wrote some days ago about how I managed to crash dbg by deferencing
a pointer that was 0xffffffff.
I've found the bug; it's in the function invalid_addr in dbgcom.c.
That function is supposed to check whether the address is valid or not.
The expression used is "if(a >= 4096 && (a+len-1) <= limit)", where a
is the start address and len is the length of the memory we are
interested in.
When we call this function, like this invalid_addr(0xffffffff, 28), it
calculates a+len-1 = 26 (because of overflow) which is indeed <= limit.
Hence the function says the address is valid while it isn't. Patch
follow.
What shall I do to get the patch incorporated into djlsr201.zip? Is it
enough to post it to this news group, or should I mail Delorie?
Right,
MartinS
--- dbgcom.c Tue Aug 13 00:08:04 1996
+++ /tmp/djlib.new/dbgcom.c Tue Feb 17 02:40:12 1998
@@ -553,7 +553,7 @@
unsigned limit;
limit = __dpmi_get_segment_limit(__djgpp_app_DS);
- if(a >= 4096 && (a+len-1) <= limit)
+ if(a >= 4096 && a <= limit && (a+len-1) <= limit)
return 0;
/* printf("Invalid access to child, address %#x length %#x limit: %#x\n", a, len, limit);
if (can_longjmp)
- Raw text -