[LLDB] Fix buffer overflow problem in DWARFExpression::Evaluate.

cmtice · cmtice · commit ee476996bec7 · 2023-06-28T11:46:55.000-07:00
In two calls to ReadMemory in DWARFExpression.cpp, the buffer size passed to ReadMemory is not actually the size of the buffer (I suspect a copy/paste error where the variable name was not properly updated). This caused a buffer overflow bug, which we found throuth Address Sanitizer. This patch fixes the problem by passing the correct buffer size to the calls to ReadMemory (and to the DataExtractor). Differential Revision: https://reviews.llvm.org/D153840
diff --git a/lldb/source/Expression/DWARFExpression.cpp b/lldb/source/Expression/DWARFExpression.cpp
@@ -1138,15 +1138,16 @@ bool DWARFExpression::Evaluate(
 
         if (load_addr == LLDB_INVALID_ADDRESS && so_addr.IsSectionOffset()) {
           uint8_t addr_bytes[8];
+          size_t buf_size = sizeof(addr_bytes);
           Status error;
 
           if (target &&
-              target->ReadMemory(so_addr, &addr_bytes, size, error,
-                                 /*force_live_memory=*/false) == size) {
+              target->ReadMemory(so_addr, &addr_bytes, buf_size, error,
+                                 /*force_live_memory=*/false) == buf_size) {
             ObjectFile *objfile = module_sp->GetObjectFile();
 
             stack.back().GetScalar() = DerefSizeExtractDataHelper(
-                addr_bytes, size, objfile->GetByteOrder(), size);
+                addr_bytes, size, objfile->GetByteOrder(), buf_size);
             stack.back().ClearContext();
             break;
           } else {
@@ -1170,13 +1171,13 @@ bool DWARFExpression::Evaluate(
             lldb::addr_t pointer_addr =
                 stack.back().GetScalar().ULongLong(LLDB_INVALID_ADDRESS);
             uint8_t addr_bytes[sizeof(lldb::addr_t)];
+            size_t buf_size = sizeof(addr_bytes);
             Status error;
-            if (process->ReadMemory(pointer_addr, &addr_bytes, size, error) ==
-                size) {
-
+            if (process->ReadMemory(pointer_addr, &addr_bytes, buf_size, error)
+                == buf_size) {
               stack.back().GetScalar() =
                   DerefSizeExtractDataHelper(addr_bytes, sizeof(addr_bytes),
-                                             process->GetByteOrder(), size);
+                                             process->GetByteOrder(), buf_size);
               stack.back().ClearContext();
             } else {
               if (error_ptr)
