devel@nongnu.org
> Subject: Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
>
> "liujunjie (A)" writes:
>
> > Even using gdb command: set print elements 0, is still too large to print
> > the
> whole string.
> > So I try to obtain the string
"liujunjie (A)" writes:
> Even using gdb command: set print elements 0, is still too large to print the
> whole string.
> So I try to obtain the string in another way.
> After several attempts(not easy in fact), I finally obtain the real length.
> The way is as follows:
> (gdb) p (int *)str
> $
rmbruster
> Cc: liujunjie (A) ; wangxin (U)
> ; Gonglei (Arei) ;
> Huangweidong (C) ; qemu-devel@nongnu.org
> Subject: Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
>
> Markus Armbruster writes:
>
> > "liujunjie (A)" writes:
> >
> &
Markus Armbruster writes:
> "liujunjie (A)" writes:
>
>> The stack backtrace is as follows:
>> (gdb) bt
>> #0 0x7f1dc3c7b091 in _g_log_abort () from /usr/lib64/libglib-2.0.so.0
>> #1 0x7f1dc3c7c0bd in g_log_default_handler () from
>> /usr/lib64/libglib-2.0.so.0
>> #2 0x7f1dc3c7c3
"liujunjie (A)" writes:
> The stack backtrace is as follows:
> (gdb) bt
> #0 0x7f1dc3c7b091 in _g_log_abort () from /usr/lib64/libglib-2.0.so.0
> #1 0x7f1dc3c7c0bd in g_log_default_handler () from
> /usr/lib64/libglib-2.0.so.0
> #2 0x7f1dc3c7c341 in g_logv () from /usr/lib64/libgl
gt; ; Huangweidong (C)
> ; qemu-devel@nongnu.org
> Subject: Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
>
> On 07/20/2018 08:09 AM, liujunjie wrote:
> > From: l00425170
> >
> > The incoming parameters "start" and "end" is int t
-
> From: Markus Armbruster [mailto:arm...@redhat.com]
> Sent: Monday, July 23, 2018 11:46 PM
> To: liujunjie (A)
> Cc: wangxin (U) ; Gonglei (Arei)
> ; Huangweidong (C)
> ; qemu-devel@nongnu.org
> Subject: Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
>
> "liu
"liujunjie (A)" writes:
> Thanks for your reply.
>> Really? How exactly can this happen? Please explain step by step.
> There exist a qemu core related to this. You have mention that "The
> conversion truncates when strlen(str) - 1 exceeds INT_MAX".
> Later in function qstring_from_substr, thi
On 07/20/2018 08:09 AM, liujunjie wrote:
From: l00425170
The incoming parameters "start" and "end" is int type in
qstring_from_substr(), but this function can be called by
qstring_from_str, which is size_t type in strlen(str).
It may result in coredump when called g_malloc later.
One scene to t
(A)
> Cc: wangxin (U) ; Gonglei (Arei)
> ; Huangweidong (C)
> ; qemu-devel@nongnu.org
> Subject: Re: [Qemu-devel] [PATCH] qstring: Fix integer overflow
>
> liujunjie writes:
>
> > From: l00425170
> >
> > The incoming parameters "start" and &
liujunjie writes:
> From: l00425170
>
> The incoming parameters "start" and "end" is int type in
> qstring_from_substr(), but this function can be called by
> qstring_from_str, which is size_t type in strlen(str).
Yes, there's a conversion from size_t to int in
return qstring_from_substr(s
From: l00425170
The incoming parameters "start" and "end" is int type in
qstring_from_substr(), but this function can be called by
qstring_from_str, which is size_t type in strlen(str).
It may result in coredump when called g_malloc later.
One scene to triger is to call hmp "into tlb", which may
12 matches
Mail list logo
