GNU bug report logs - #14345
24.3; shr-insert-document crashes gtk-emacs

Previous Next

Package: emacs;

Reported by: David Bremner <david <at> tethera.net>

Date: Sat, 4 May 2013 02:54:04 UTC

Severity: important

Tags: confirmed

Found in version 24.3

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #28 received at 14345-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: 14345-done <at> debbugs.gnu.org
Subject: Re: 24.3; shr-insert-document crashes gtk-emacs
Date: Sun, 12 May 2013 12:21:21 -0700

I installed the following patch as trunk bzr 112562 to fix
this.  It works for me, including for Glenn's C-c C-c test.
I'll cross my fingers and mark the bug as fixed.

=== modified file 'src/ChangeLog'
--- src/ChangeLog	2013-05-09 18:30:46 +0000
+++ src/ChangeLog	2013-05-12 19:14:22 +0000
@@ -1,3 +1,7 @@
+2013-05-12  Paul Eggert  <eggert <at> cs.ucla.edu>
+
+	* image.c (gif_load): Check that subimages fit (Bug#14345).
+
 2013-05-09  Stefan Monnier  <monnier <at> iro.umontreal.ca>
 
 	* lread.c (skip_dyn_eof): New function.

=== modified file 'src/image.c'
--- src/image.c	2013-04-07 04:41:19 +0000
+++ src/image.c	2013-05-12 19:15:38 +0000
@@ -7263,6 +7263,25 @@
       return 0;
     }
 
+  /* Check that the selected subimages fit.  It's not clear whether
+     the GIF spec requires this, but Emacs can crash if they don't fit.  */
+  for (j = 0; j <= idx; ++j)
+    {
+      struct SavedImage *subimage = gif->SavedImages + j;
+      int subimg_width = subimage->ImageDesc.Width;
+      int subimg_height = subimage->ImageDesc.Height;
+      int subimg_top = subimage->ImageDesc.Top;
+      int subimg_left = subimage->ImageDesc.Left;
+      if (! (0 <= subimg_width && 0 <= subimg_height
+	     && 0 <= subimg_top && subimg_top <= height - subimg_height
+	     && 0 <= subimg_left && subimg_left <= width - subimg_width))
+	{
+	  image_error ("Subimage does not fit in image", Qnil, Qnil);
+	  fn_DGifCloseFile (gif);
+	  return 0;
+	}
+    }
+
   /* Create the X image and pixmap.  */
   if (!x_create_x_image_and_pixmap (f, width, height, 0, &ximg, &img->pixmap))
     {
This bug report was last modified 12 years and 98 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.