GNU bug report logs - #20156
Emacs 24 stack corruption in fontset.c:fontset_pattern_regexp

Previous Next

Package: emacs;

Reported by: John F Carr <jfc <at> mit.edu>

Date: Sat, 21 Mar 2015 17:30:03 UTC

Severity: normal

Done: "Jan D." <jan.h.d <at> swipnet.se>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 20156 in the body.
You can then email your comments to 20156 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#20156; Package emacs. (Sat, 21 Mar 2015 17:30:04 GMT) Full text and rfc822 format available.
Acknowledgement sent to John F Carr <jfc <at> mit.edu>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Sat, 21 Mar 2015 17:30:04 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: John F Carr <jfc <at> mit.edu>
To: "bug-gnu-emacs <at> gnu.org" <bug-gnu-emacs <at> gnu.org>
Subject: Emacs 24 stack corruption in fontset.c:fontset_pattern_regexp
Date: Sat, 21 Mar 2015 12:06:16 +0000

[Message part 1 (text/plain, inline)]
Emacs crashes on Mac Yosemite (native window system) when I use set-frame-font with certain font patterns.  The cause is writing past the end of an alloca buffer in fontset.c:fontset_pattern_regexp.  This triggers a stack check assertion.  Alloca is used to allocate space for a regexp, but the size neglects to consider the ^$ around the regexp.  “+1” should be “+3”.

To reproduce:

(set-frame-font "-adobe-courier-medium-r-normal--24-*-75-75-m-150-iso8859-1”)

without X installed.

Bug in 24.3 and "GNU Emacs 24.4.2 (x86_64-apple-darwin14.1.0, NS apple-appkit-1344.72)”.




[fontset.diff (application/octet-stream, attachment)]
Reply sent to "Jan D." <jan.h.d <at> swipnet.se>:
You have taken responsibility. (Sun, 22 Mar 2015 09:24:02 GMT) Full text and rfc822 format available.
Notification sent to John F Carr <jfc <at> mit.edu>:
bug acknowledged by developer. (Sun, 22 Mar 2015 09:24:03 GMT) Full text and rfc822 format available.

Message #10 received at 20156-done <at> debbugs.gnu.org (full text, mbox):

From: "Jan D." <jan.h.d <at> swipnet.se>
To: John F Carr <jfc <at> mit.edu>
Cc: 20156-done <at> debbugs.gnu.org
Subject: Re: bug#20156: Emacs 24 stack corruption in
 fontset.c:fontset_pattern_regexp
Date: Sun, 22 Mar 2015 10:23:27 +0100

Good call.  Fixed in trunk and emacs-24 branch.

	Jan D.

> 21 mar 2015 kl. 13:06 skrev John F Carr <jfc <at> mit.edu>:
> 
> Emacs crashes on Mac Yosemite (native window system) when I use set-frame-font with certain font patterns.  The cause is writing past the end of an alloca buffer in fontset.c:fontset_pattern_regexp.  This triggers a stack check assertion.  Alloca is used to allocate space for a regexp, but the size neglects to consider the ^$ around the regexp.  “+1” should be “+3”.
> 
> To reproduce:
> 
> (set-frame-font "-adobe-courier-medium-r-normal--24-*-75-75-m-150-iso8859-1”)
> 
> without X installed.
> 
> Bug in 24.3 and "GNU Emacs 24.4.2 (x86_64-apple-darwin14.1.0, NS apple-appkit-1344.72)”.
> 
> 
> 
> <fontset.diff>
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 19 Apr 2015 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 10 years and 118 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.