From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 05 23:24:15 2015 Received: (at submit) by debbugs.gnu.org; 6 Apr 2015 03:24:15 +0000 Received: from localhost ([127.0.0.1]:45735 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yexe3-0004KH-07 for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:15 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41387) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yexdz-0004K1-AV for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yexdt-00049g-3O for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:47758) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexds-00049Y-Uq for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54893) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexdr-00018e-TE for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:24:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yexdm-00048Q-TK for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:24:03 -0400 Received: from mo-sw1501.iij4u.or.jp ([210.130.239.241]:50297 helo=mo-sw.iij4u.or.jp) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexdm-00047h-1i for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:23:58 -0400 DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=pp.iij4u.or.jp;h=Date: Message-Id:To:Subject:From:Mime-Version:Content-Type: Content-Transfer-Encoding;i=arakawa@pp.iij4u.or.jp;s=20140530.iij4u;t= 1428290634; x=1429500234; bh=fC2kpVlSt3TpNEv7sX9HcEZZXpafVEQEQKCU7GUtMIk=; b=fRA b3bw8ht/Fz07BHULByUrZaIL3LWP8X+lu7GhG7TCPuheXU7x2NMcrDwzPZGeva6CdbAIgDPMgzLHQ wc8dv8RfovAZeiUGMT/6ijmJqpUR2O4WagHZGvbnzXojc/N+xIq+3+XXH5Vq7WK3Cl2ZgdEmepqvG MSKuJ+zxkpwV4PJp5UDhvKh5XFg2ueahxTKOrfV00lMFw3YxgwEeTced1bYNF9wM2mt26pwZNUcEC UyKsYhd5Gdb3uo2Hgetw4tLM71q19XdCAuOhs2x8dyVGcSPUmPI7aU8xHuIdEeY8A6pK+luZw4L3T w3mo33Nhce3y0mjyCdj+lIOg55U2AZQ==; Received: by mo-sw.iij4u.or.jp (4u-mo-sw1501) id t363Ns3N006556; Mon, 6 Apr 2015 12:23:54 +0900 Received: from localhost (26.176.138.210.rev.vmobile.jp [210.138.176.26]) by mbox.iij4u.or.jp (4u-mbox1501) id t363NhWv032012 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 6 Apr 2015 12:23:52 +0900 Date: Mon, 06 Apr 2015 12:23:23 +0900 =?iso-2022-jp?B?KBskQkVsNX4bKEIgKBskQkk4PWA7fhsoQikp?= Message-Id: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> To: bug-gnu-emacs@gnu.org Subject: [PATCH] fix: w32_executable_type() causes a segmentation fault From: Koichi Arakawa X-Mailer: Mew version 6.6 on Emacs 25.0.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Hi folks, On Windows platform, w32_executable_type() in src/w32proc.c scans 'dllname' in an EXE file. But there are some strange EXE files that 'dllname' points to an illegal address, for example, Microsoft's Excel (excel.exe) and PowerPoint (POWEPNT.EXE). w32_executable_type() causes a segmentation fault for those files. objdump in binutils seems to know those illegal pointers and discard them (pe_print_idata() in bfd/peXXigen.c). In the following patch, 'dllname' is checked whether it points to the valid section's address space and discarded when it's invalid. Regards, Koichi Arakawa diff --git a/src/ChangeLog b/src/ChangeLog index 1c3f933..a49fdf4 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2015-04-06 Koichi Arakawa + + * w32proc.c (w32_executable_type): Check whether 'dllname' points + to the section's address space. + 2015-04-04 Jan Dj=E4rv = * xselect.c (x_reply_selection_request) diff --git a/src/w32proc.c b/src/w32proc.c index 7d982f8..d3d9405 100644 --- a/src/w32proc.c +++ b/src/w32proc.c @@ -1618,16 +1618,23 @@ w32_executable_type (char * filename, data_dir[IMAGE_DIRECTORY_ENTRY_IMPORT]; IMAGE_IMPORT_DESCRIPTOR * imports; IMAGE_SECTION_HEADER * section; + char * base; + DWORD_PTR real_size; = section =3D rva_to_section (import_dir.VirtualAddress, n= t_header); imports =3D RVA_TO_PTR (import_dir.VirtualAddress, secti= on, executable); + base =3D RVA_TO_PTR (section->VirtualAddress, section, e= xecutable); + real_size =3D max (section->SizeOfRawData, section->Misc= .VirtualSize); = for ( ; imports->Name; imports++) { char * dllname =3D RVA_TO_PTR (imports->Name, sectio= n, executable); = + if (imports->Name < base || dllname >=3D base + real= _size) + break; + /* The exact name of the cygwin dll has changed with= various releases, but hopefully this will be reas= onably future proof. */ From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 06 04:02:52 2015 Received: (at 20264) by debbugs.gnu.org; 6 Apr 2015 08:02:53 +0000 Received: from localhost ([127.0.0.1]:45850 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf1zg-00050O-He for submit@debbugs.gnu.org; Mon, 06 Apr 2015 04:02:52 -0400 Received: from mtaout24.012.net.il ([80.179.55.180]:56776) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf1zd-0004zx-LN for 20264@debbugs.gnu.org; Mon, 06 Apr 2015 04:02:51 -0400 Received: from conversion-daemon.mtaout24.012.net.il by mtaout24.012.net.il (HyperSendmail v2007.08) id <0NMD00C00KI81900@mtaout24.012.net.il> for 20264@debbugs.gnu.org; Mon, 06 Apr 2015 10:54:15 +0300 (IDT) Received: from HOME-C4E4A596F7 ([87.69.4.28]) by mtaout24.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NMD002EJKMFYG80@mtaout24.012.net.il>; Mon, 06 Apr 2015 10:54:15 +0300 (IDT) Date: Mon, 06 Apr 2015 11:02:47 +0300 From: Eli Zaretskii Subject: Re: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault In-reply-to: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> X-012-Sender: halo1@inter.net.il To: Koichi Arakawa Message-id: <83a8yllm54.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=shift_jis Content-transfer-encoding: 8BIT References: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 20264 Cc: 20264@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > Date: Mon, 06 Apr 2015 12:23:23 +0900 (東京 > (標準時)) > From: Koichi Arakawa > > On Windows platform, w32_executable_type() in src/w32proc.c scans > 'dllname' in an EXE file. But there are some strange EXE files that > 'dllname' points to an illegal address, for example, Microsoft's Excel > (excel.exe) and PowerPoint (POWEPNT.EXE). w32_executable_type() causes > a segmentation fault for those files. > > objdump in binutils seems to know those illegal pointers and discard > them (pe_print_idata() in bfd/peXXigen.c). > > In the following patch, 'dllname' is checked whether it points to the > valid section's address space and discarded when it's invalid. Thanks. > for ( ; imports->Name; imports++) > { > char * dllname = RVA_TO_PTR (imports->Name, section, > executable); > > + if (imports->Name < base || dllname >= base + real_size) > + break; > + Shouldn't that "break" be "continue" instead? IOW, shouldn't we try all the other entries in the DLL import list? From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 06 05:48:40 2015 Received: (at 20264) by debbugs.gnu.org; 6 Apr 2015 09:48:40 +0000 Received: from localhost ([127.0.0.1]:45866 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf3e4-0007hx-AF for submit@debbugs.gnu.org; Mon, 06 Apr 2015 05:48:40 -0400 Received: from mo-sw1501.iij4u.or.jp ([210.130.239.241]:42693 helo=mo-sw.iij4u.or.jp) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf3e0-0007hf-Cm for 20264@debbugs.gnu.org; Mon, 06 Apr 2015 05:48:38 -0400 DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=pp.iij4u.or.jp;h=Date: Message-Id:To:Cc:Subject:From:In-Reply-To:References:Mime-Version: Content-Type:Content-Transfer-Encoding;i=arakawa@pp.iij4u.or.jp;s= 20140530.iij4u; t=1428313708; x=1429523308; bh=A5TChYj51D+SZlS0yNJF8AJ9bX8697cwy F4OVz41Z+s=; b=W33EY7+nL6xY5BmOpzewaBJGHxzklIAY3JeKkQ+E9p7DJvQDtXYMH9RNLJB/GWw yI5xfuKQScF5Z5SG8b6g4Z2nNL4bbK7jJA7mlTA/r9EbBsjMKpy3wT275bJ0Tcb6JWnpvRwb20bym HxaX/7EHHaMA/eDtBPG3TLbMwCKFuL5Rijiq6jbN291Xkxmw/FO4efEAeYWIXvWJNLaRrWql3nrPe Vf+/9dFdplPYbmrUPDUXPsxaxBD3fZ1w9EECEwDVfmN57l/ZLw2vQEmABm/SGChrdvKHHXyzHe15i atRs7h/al7TwsdurKHK9NQ4T5JIrVb7uvhLP1yrJi/BJPReA==; Received: by mo-sw.iij4u.or.jp (4u-mo-sw1501) id t369mSKa012378; Mon, 6 Apr 2015 18:48:28 +0900 Received: from localhost (corsica.s2factory.co.jp [122.220.15.114]) by mbox.iij4u.or.jp (4u-mbox1501) id t369mLJ9028515 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 6 Apr 2015 18:48:27 +0900 Date: Mon, 06 Apr 2015 18:48:11 +0900 =?iso-2022-jp?B?KBskQkVsNX4bKEIgKBskQkk4PWA7fhsoQikp?= Message-Id: <20150406.184811.1180773812210980075.arakawa@pp.iij4u.or.jp> To: eliz@gnu.org Subject: Re: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault From: Koichi Arakawa In-Reply-To: <83a8yllm54.fsf@gnu.org> References: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> <83a8yllm54.fsf@gnu.org> X-Mailer: Mew version 6.6 on Emacs 25.0.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 20264 Cc: 20264@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Eli Zaretskii wrote: >> for ( ; imports->Name; imports++) >> { >> char * dllname = RVA_TO_PTR (imports->Name, section, >> executable); >> >> + if (imports->Name < base || dllname >= base + real_size) >> + break; >> + > > Shouldn't that "break" be "continue" instead? IOW, shouldn't we try > all the other entries in the DLL import list? I apologize insufficient research. The *illegal* dllname actually points to another section. So the previous patch is wrong and it should be as follows. diff --git a/src/w32proc.c b/src/w32proc.c index 7d982f8..5ae55ff 100644 --- a/src/w32proc.c +++ b/src/w32proc.c @@ -1625,6 +1625,7 @@ w32_executable_type (char * filename, for ( ; imports->Name; imports++) { + section = rva_to_section (imports->Name, nt_header); char * dllname = RVA_TO_PTR (imports->Name, section, executable); -- Koichi Arakawa From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 06 06:30:17 2015 Received: (at 20264-done) by debbugs.gnu.org; 6 Apr 2015 10:30:18 +0000 Received: from localhost ([127.0.0.1]:45878 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf4IL-0000Nw-9K for submit@debbugs.gnu.org; Mon, 06 Apr 2015 06:30:17 -0400 Received: from mtaout22.012.net.il ([80.179.55.172]:46416) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf4IH-0000Mv-Qc for 20264-done@debbugs.gnu.org; Mon, 06 Apr 2015 06:30:15 -0400 Received: from conversion-daemon.a-mtaout22.012.net.il by a-mtaout22.012.net.il (HyperSendmail v2007.08) id <0NMD00200RU6D800@a-mtaout22.012.net.il> for 20264-done@debbugs.gnu.org; Mon, 06 Apr 2015 13:30:06 +0300 (IDT) Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout22.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NMD002LTRU5C400@a-mtaout22.012.net.il>; Mon, 06 Apr 2015 13:30:06 +0300 (IDT) Date: Mon, 06 Apr 2015 13:30:11 +0300 From: Eli Zaretskii Subject: Re: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault In-reply-to: <20150406.184811.1180773812210980075.arakawa@pp.iij4u.or.jp> X-012-Sender: halo1@inter.net.il To: Koichi Arakawa Message-id: <838ue5lfbg.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=iso-2022-jp Content-transfer-encoding: 8bit References: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> <83a8yllm54.fsf@gnu.org> <20150406.184811.1180773812210980075.arakawa@pp.iij4u.or.jp> X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 20264-done Cc: 20264-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > Date: Mon, 06 Apr 2015 18:48:11 +0900 > ($BEl5~(B ($BI8=`;~(B)) > Cc: 20264@debbugs.gnu.org > From: Koichi Arakawa > > I apologize insufficient research. The *illegal* dllname actually > points to another section. So the previous patch is wrong and it > should be as follows. Thanks, I pushed it. From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 06 13:05:36 2015 Received: (at 20264-done) by debbugs.gnu.org; 6 Apr 2015 17:05:36 +0000 Received: from localhost ([127.0.0.1]:46495 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YfASu-000397-5u for submit@debbugs.gnu.org; Mon, 06 Apr 2015 13:05:36 -0400 Received: from mo-sw1501.iij4u.or.jp ([210.130.239.241]:50032 helo=mo-sw.iij4u.or.jp) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YfASq-00038n-EC for 20264-done@debbugs.gnu.org; Mon, 06 Apr 2015 13:05:34 -0400 DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=pp.iij4u.or.jp;h=Date: Message-Id:To:Cc:Subject:From:In-Reply-To:References:Mime-Version: Content-Type:Content-Transfer-Encoding;i=arakawa@pp.iij4u.or.jp;s= 20140530.iij4u; t=1428339925; x=1429549525; bh=EyOCJsnUQPD2IADgfl8B1edKqKrYIq4W6 UG8E/tcZYU=; b=qW5uZ+J6Fx24G0wtyvozSvLOi9s1o/0L4rqvaox053m6jZ1oeRbU+9CxVnd4iZt dPSD7fUzlBmmZ0VlAlouD9jiJFlK/GFNLdf4EfMMaj8+iaVJwwIGCO3NvMW9Ng88NLuDv5h06syjG OVhN8TPy0fx0Qeq2eMzi3Bn4Fgsuz/XduiaBb0OsCzv6bYyps2OhrLYhsS90cnkuSFHXznpximmak ZKjT6eecf6r+mpQshTBNM/UHNp4rLu846dvwcLwYzAkJ9lsGEjpyqxdW99InkGRdmR1RGWJxue8lp 78G3kQUAcEVwqMkyjUvzGErnUKdbTli6q/DNeVMW/TATdBqQ==; Received: by mo-sw.iij4u.or.jp (4u-mo-sw1501) id t36H5OBv011551; Tue, 7 Apr 2015 02:05:25 +0900 Received: from localhost (corsica.s2factory.co.jp [122.220.15.114]) by mbox.iij4u.or.jp (4u-mbox1501) id t36H5J45002059 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 7 Apr 2015 02:05:24 +0900 Date: Tue, 07 Apr 2015 02:04:58 +0900 =?iso-2022-jp?B?KBskQkVsNX4bKEIgKBskQkk4PWA7fhsoQikp?= Message-Id: <20150407.020458.737687437371003902.arakawa@pp.iij4u.or.jp> To: eliz@gnu.org Subject: Re: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault From: Koichi Arakawa In-Reply-To: <838ue5lfbg.fsf@gnu.org> References: <83a8yllm54.fsf@gnu.org> <20150406.184811.1180773812210980075.arakawa@pp.iij4u.or.jp> <838ue5lfbg.fsf@gnu.org> X-Mailer: Mew version 6.6 on Emacs 25.0.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 20264-done Cc: 20264-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Eli Zaretskii wrote: >> I apologize insufficient research. The *illegal* dllname actually >> points to another section. So the previous patch is wrong and it >> should be as follows. > > Thanks, I pushed it. Thank you. I think it works fine. -- Koichi Arakawa From unknown Sun Aug 17 04:16:13 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 05 May 2015 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator