Skip to content

Commit 1fa26e6

Browse files
cmticecmtice
committed
[PATCH][lldb] Fix dereference of null pointer.
The function DWARFASTParserClang::ParsePointerToMemberType attempts to make two pointers and then immediately tries to dereference them, without verifying that the pointesr were successfully created. Sometimes the pointer creation fails, and the dereference then causes a segfault. This add a check that the pointers are non-null before attempting to dereference them.
1 parent a0525f0 commit 1fa26e6

File tree

2 files changed

+71
-0
lines changed

2 files changed

+71
-0
lines changed

lldb/source/Plugins/SymbolFile/DWARF/DWARFASTParserClang.cpp

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1351,6 +1351,11 @@ TypeSP DWARFASTParserClang::ParsePointerToMemberType(
13511351
Type *class_type =
13521352
dwarf->ResolveTypeUID(attrs.containing_type.Reference(), true);
13531353

1354+
// Check to make sure pointers are not NULL before attempting to
1355+
// dereference them.
1356+
if ((class_type == nullptr) || (pointee_type == nullptr))
1357+
return nullptr;
1358+
13541359
CompilerType pointee_clang_type = pointee_type->GetForwardCompilerType();
13551360
CompilerType class_clang_type = class_type->GetForwardCompilerType();
13561361

lldb/test/Shell/SymbolFile/DWARF/x86/class-type-nullptr-deref.s

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
# Test to verify that, if a class type pointer creation fails (pointer is
2+
# null), LLDB does not try to dereference the null pointer.
3+
4+
# RUN: llvm-mc --triple x86_64-pc-linux %s --filetype=obj -o %t
5+
# RUN: %lldb %t -o "target variable x" -o exit 2>&1
6+
7+
# This tests a fix for a crash. If things are working we don't get a segfault.
8+
9+
.type x,@object # @x
10+
.bss
11+
.globl x
12+
x:
13+
.quad 0 # 0x0
14+
.size x, 8
15+
16+
.section .debug_abbrev,"",@progbits
17+
.byte 1 # Abbreviation Code
18+
.byte 17 # DW_TAG_compile_unit
19+
.byte 1 # DW_CHILDREN_yes
20+
.byte 37 # DW_AT_producer
21+
.byte 8 # DW_FORM_string
22+
.byte 0 # EOM(1)
23+
.byte 0 # EOM(2)
24+
.byte 2 # Abbreviation Code
25+
.byte 52 # DW_TAG_variable
26+
.byte 0 # DW_CHILDREN_no
27+
.byte 3 # DW_AT_name
28+
.byte 8 # DW_FORM_string
29+
.byte 73 # DW_AT_type
30+
.byte 19 # DW_FORM_ref4
31+
.byte 2 # DW_AT_location
32+
.byte 24 # DW_FORM_exprloc
33+
.byte 0 # EOM(1)
34+
.byte 0 # EOM(2)
35+
.byte 3 # Abbreviation Code
36+
.byte 31 # DW_TAG_ptr_to_member_type
37+
.byte 0 # DW_CHILDREN_no
38+
.byte 73 # DW_AT_type
39+
.byte 19 # DW_FORM_ref4
40+
.byte 29 # DW_AT_containing_type
41+
.byte 19 # DW_FORM_ref4
42+
.byte 0 # EOM(1)
43+
.byte 0 # EOM(2)
44+
.byte 0 # EOM(3)
45+
.section .debug_info,"",@progbits
46+
.Lcu_begin0:
47+
.long .Ldebug_info_end0-.Ldebug_info_start0 # Length of Unit
48+
.Ldebug_info_start0:
49+
.short 5 # DWARF version number
50+
.byte 1 # DWARF Unit Type
51+
.byte 8 # Address Size (in bytes)
52+
.long .debug_abbrev # Offset Into Abbrev. Section
53+
.byte 1 # Abbrev [1] DW_TAG_compile_unit
54+
.asciz "Hand-written DWARF" # DW_AT_producer
55+
.byte 2 # Abbrev [2] DW_TAG_variable
56+
.asciz "x" # DW_AT_name
57+
.long .Ltype-.Lcu_begin0 # DW_AT_type
58+
.byte 9 # DW_AT_location
59+
.byte 3
60+
.quad x
61+
.Ltype:
62+
.byte 3 # Abbrev [3] DW_TAG_ptr_to_member_type
63+
.long 0xdeadbeef # DW_AT_type
64+
.long 0xdeadbeef # DW_AT_containing_type
65+
.byte 0 # End Of Children Mark
66+
.Ldebug_info_end0:

0 commit comments

Comments
 (0)