GNU bug report logs -
#18140
[PATCH] macros.c: CHECK_VECTOR_OR_STRING invokes wrong_type_argument for Qnil instead of return 0
Previous Next
Reported by: Jan Chaloupka <jchaloup <at> redhat.com>
Date: Tue, 29 Jul 2014 05:03:02 UTC
Severity: normal
Tags: patch
Done: Andreas Schwab <schwab <at> suse.de>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Tue, 29 Jul 2014 10:10:11 +0200
with message-id <mvmfvhkh9gc.fsf <at> hawking.suse.de>
and subject line Re: bug#18140: [PATCH] macros.c: CHECK_VECTOR_OR_STRING invokes wrong_type_argument for Qnil instead of return 0
has caused the debbugs.gnu.org bug report #18140,
regarding [PATCH] macros.c: CHECK_VECTOR_OR_STRING invokes wrong_type_argument for Qnil instead of return 0
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
18140: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18140
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
In function Fstart_kbd_macro (macros.c), Vlast_kbd_macro of current_kboard is Qnil for the first invocation.
If NILP (append) is false, current_kboard->kbd_macro_ptr has random value (in our case 0x5353535353535353),
which after CHECK_VECTOR_OR_STRING failure (invocation of wrong_type_argument) results in garbage collecting.
During gc, marking of objects is processed and mark_kboards (keyboard.c) is invoked. Following for loop is fired:
for (p = kb->kbd_macro_buffer; p < kb->kbd_macro_ptr; p++)
mark_object (*p);
Since kb->kbd_macro_ptr is set to 0x5353535353535353, mark_object (*p) is trying to mark object on address
out of memory space (or memory that cannot be accessed). Thus resulting in SIGSEGV signal.
Solution is to check for Qnil before calling CHECK_VECTOR_OR_STRING and set len to 0 if Qnil occurs.
https://bugzilla.redhat.com/show_bug.cgi?id=1104012
Signed-off-by: Jan Chaloupka <jchaloup <at> redhat.com>
---
src/macros.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/macros.c b/src/macros.c
index 4730a8b..219eb39 100644
--- a/src/macros.c
+++ b/src/macros.c
@@ -85,7 +85,23 @@ macro before appending to it. */)
bool cvt;
/* Check the type of last-kbd-macro in case Lisp code changed it. */
- len = CHECK_VECTOR_OR_STRING (KVAR (current_kboard, Vlast_kbd_macro));
+ /* If Vlast_kbd_macro is Qnil, skip the check and set len to 0.
+ * Flength returns 0 for Qnil, CHECK_VECTOR_OR_STRING has to do the same.
+ * Otherwise CHECK_VECTOR_OR_STRING fails and results in garbage collecting,
+ * which results in (keyboard.c, mark_kboards(void))
+ *
+ * for (p = kb->kbd_macro_buffer; p < kb->kbd_macro_ptr; p++)
+ * mark_object (*p);
+ *
+ * Here, kb->kbd_macro_ptr is not initialized and can contain address
+ * 0x5353535353535353, which results in SIGSEGV trying to access the address.
+ *
+ * https://bugzilla.redhat.com/show_bug.cgi?id=1104012
+ */
+ if (!NILP (KVAR (current_kboard, Vlast_kbd_macro) ))
+ len = CHECK_VECTOR_OR_STRING (KVAR (current_kboard, Vlast_kbd_macro));
+ else
+ len = 0;
/* Copy last-kbd-macro into the buffer, in case the Lisp code
has put another macro there. */
[Message part 3 (message/rfc822, inline)]
Fixed for emacs 24.4. Thanks for the report.
Andreas.
--
Andreas Schwab, SUSE Labs, schwab <at> suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
This bug report was last modified 10 years and 361 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.