From: Martin DOT Stromberg AT lu DOT erisoft DOT se (Martin Stromberg)
Newsgroups: comp.os.msdos.djgpp
Subject: gdb crashing: found a bug in dbgcom.c
Date: 17 Feb 1998 06:25:34 GMT
Organization: Ericsson Erisoft AB, Sweden
Lines: 36
Message-ID: <6cbagu$3kd$1@antares.lu.erisoft.se>
NNTP-Posting-Host: juno.lu.erisoft.se
To: djgpp AT delorie DOT com
DJ-Gateway: from newsgroup comp.os.msdos.djgpp
Precedence: bulk


I wrote some days ago about how I managed to crash dbg by deferencing
a pointer that was 0xffffffff.

I've found the bug; it's in the function invalid_addr in dbgcom.c. 
That function is supposed to check whether the address is valid or not.
The expression used is "if(a >= 4096 && (a+len-1) <= limit)", where a
is the start address and len is the length of the memory we are
interested in.

When we call this function, like this invalid_addr(0xffffffff, 28), it
calculates a+len-1 = 26 (because of overflow) which is indeed <= limit.

Hence the function says the address is valid while it isn't. Patch 
follow.

What shall I do to get the patch incorporated into djlsr201.zip? Is it
enough to post it to this news group, or should I mail Delorie?


Right,

							MartinS

--- dbgcom.c	Tue Aug 13 00:08:04 1996
+++ /tmp/djlib.new/dbgcom.c	Tue Feb 17 02:40:12 1998
@@ -553,7 +553,7 @@
 
   unsigned limit;
   limit = __dpmi_get_segment_limit(__djgpp_app_DS);
-  if(a >= 4096 && (a+len-1) <= limit)
+  if(a >= 4096 && a <= limit && (a+len-1) <= limit)
     return 0;
 /*  printf("Invalid access to child, address %#x length %#x  limit: %#x\n", a, len, limit);
   if (can_longjmp)