From unknown Sun Aug 17 00:59:04 2025 X-Loop: help-debbugs@gnu.org Subject: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault Resent-From: Koichi Arakawa Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 06 Apr 2015 03:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 20264 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: 20264@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.142829065516638 (code B ref -1); Mon, 06 Apr 2015 03:25:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Apr 2015 03:24:15 +0000 Received: from localhost ([127.0.0.1]:45735 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yexe3-0004KH-07 for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:15 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41387) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yexdz-0004K1-AV for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yexdt-00049g-3O for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:47758) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexds-00049Y-Uq for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54893) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexdr-00018e-TE for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:24:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yexdm-00048Q-TK for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:24:03 -0400 Received: from mo-sw1501.iij4u.or.jp ([210.130.239.241]:50297 helo=mo-sw.iij4u.or.jp) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexdm-00047h-1i for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:23:58 -0400 DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=pp.iij4u.or.jp;h=Date: Message-Id:To:Subject:From:Mime-Version:Content-Type: Content-Transfer-Encoding;i=arakawa@pp.iij4u.or.jp;s=20140530.iij4u;t= 1428290634; x=1429500234; bh=fC2kpVlSt3TpNEv7sX9HcEZZXpafVEQEQKCU7GUtMIk=; b=fRA b3bw8ht/Fz07BHULByUrZaIL3LWP8X+lu7GhG7TCPuheXU7x2NMcrDwzPZGeva6CdbAIgDPMgzLHQ wc8dv8RfovAZeiUGMT/6ijmJqpUR2O4WagHZGvbnzXojc/N+xIq+3+XXH5Vq7WK3Cl2ZgdEmepqvG MSKuJ+zxkpwV4PJp5UDhvKh5XFg2ueahxTKOrfV00lMFw3YxgwEeTced1bYNF9wM2mt26pwZNUcEC UyKsYhd5Gdb3uo2Hgetw4tLM71q19XdCAuOhs2x8dyVGcSPUmPI7aU8xHuIdEeY8A6pK+luZw4L3T w3mo33Nhce3y0mjyCdj+lIOg55U2AZQ==; Received: by mo-sw.iij4u.or.jp (4u-mo-sw1501) id t363Ns3N006556; Mon, 6 Apr 2015 12:23:54 +0900 Received: from localhost (26.176.138.210.rev.vmobile.jp [210.138.176.26]) by mbox.iij4u.or.jp (4u-mbox1501) id t363NhWv032012 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 6 Apr 2015 12:23:52 +0900 Date: Mon, 06 Apr 2015 12:23:23 +0900 (=?UTF-8?Q?=E6=9D=B1=E4=BA=AC?= (=?UTF-8?Q?=E6=A8=99=E6=BA=96=E6=99=82?=)) Message-Id: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> From: Koichi Arakawa X-Mailer: Mew version 6.6 on Emacs 25.0.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Hi folks, On Windows platform, w32_executable_type() in src/w32proc.c scans 'dllname' in an EXE file. But there are some strange EXE files that 'dllname' points to an illegal address, for example, Microsoft's Excel (excel.exe) and PowerPoint (POWEPNT.EXE). w32_executable_type() causes a segmentation fault for those files. objdump in binutils seems to know those illegal pointers and discard them (pe_print_idata() in bfd/peXXigen.c). In the following patch, 'dllname' is checked whether it points to the valid section's address space and discarded when it's invalid. Regards, Koichi Arakawa diff --git a/src/ChangeLog b/src/ChangeLog index 1c3f933..a49fdf4 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2015-04-06 Koichi Arakawa + + * w32proc.c (w32_executable_type): Check whether 'dllname' points + to the section's address space. + 2015-04-04 Jan Dj=E4rv = * xselect.c (x_reply_selection_request) diff --git a/src/w32proc.c b/src/w32proc.c index 7d982f8..d3d9405 100644 --- a/src/w32proc.c +++ b/src/w32proc.c @@ -1618,16 +1618,23 @@ w32_executable_type (char * filename, data_dir[IMAGE_DIRECTORY_ENTRY_IMPORT]; IMAGE_IMPORT_DESCRIPTOR * imports; IMAGE_SECTION_HEADER * section; + char * base; + DWORD_PTR real_size; = section =3D rva_to_section (import_dir.VirtualAddress, n= t_header); imports =3D RVA_TO_PTR (import_dir.VirtualAddress, secti= on, executable); + base =3D RVA_TO_PTR (section->VirtualAddress, section, e= xecutable); + real_size =3D max (section->SizeOfRawData, section->Misc= .VirtualSize); = for ( ; imports->Name; imports++) { char * dllname =3D RVA_TO_PTR (imports->Name, sectio= n, executable); = + if (imports->Name < base || dllname >=3D base + real= _size) + break; + /* The exact name of the cygwin dll has changed with= various releases, but hopefully this will be reas= onably future proof. */ From unknown Sun Aug 17 00:59:04 2025 X-Loop: help-debbugs@gnu.org Subject: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 06 Apr 2015 08:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 20264 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: Koichi Arakawa Cc: 20264@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 20264-submit@debbugs.gnu.org id=B20264.142830737319248 (code B ref 20264); Mon, 06 Apr 2015 08:03:02 +0000 Received: (at 20264) by debbugs.gnu.org; 6 Apr 2015 08:02:53 +0000 Received: from localhost ([127.0.0.1]:45850 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf1zg-00050O-He for submit@debbugs.gnu.org; Mon, 06 Apr 2015 04:02:52 -0400 Received: from mtaout24.012.net.il ([80.179.55.180]:56776) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf1zd-0004zx-LN for 20264@debbugs.gnu.org; Mon, 06 Apr 2015 04:02:51 -0400 Received: from conversion-daemon.mtaout24.012.net.il by mtaout24.012.net.il (HyperSendmail v2007.08) id <0NMD00C00KI81900@mtaout24.012.net.il> for 20264@debbugs.gnu.org; Mon, 06 Apr 2015 10:54:15 +0300 (IDT) Received: from HOME-C4E4A596F7 ([87.69.4.28]) by mtaout24.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NMD002EJKMFYG80@mtaout24.012.net.il>; Mon, 06 Apr 2015 10:54:15 +0300 (IDT) Date: Mon, 06 Apr 2015 11:02:47 +0300 From: Eli Zaretskii In-reply-to: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> X-012-Sender: halo1@inter.net.il Message-id: <83a8yllm54.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=shift_jis Content-transfer-encoding: 8BIT References: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > Date: Mon, 06 Apr 2015 12:23:23 +0900 (東京 > (標準時)) > From: Koichi Arakawa > > On Windows platform, w32_executable_type() in src/w32proc.c scans > 'dllname' in an EXE file. But there are some strange EXE files that > 'dllname' points to an illegal address, for example, Microsoft's Excel > (excel.exe) and PowerPoint (POWEPNT.EXE). w32_executable_type() causes > a segmentation fault for those files. > > objdump in binutils seems to know those illegal pointers and discard > them (pe_print_idata() in bfd/peXXigen.c). > > In the following patch, 'dllname' is checked whether it points to the > valid section's address space and discarded when it's invalid. Thanks. > for ( ; imports->Name; imports++) > { > char * dllname = RVA_TO_PTR (imports->Name, section, > executable); > > + if (imports->Name < base || dllname >= base + real_size) > + break; > + Shouldn't that "break" be "continue" instead? IOW, shouldn't we try all the other entries in the DLL import list? From unknown Sun Aug 17 00:59:04 2025 X-Loop: help-debbugs@gnu.org Subject: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault Resent-From: Koichi Arakawa Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 06 Apr 2015 09:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 20264 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: eliz@gnu.org Cc: 20264@debbugs.gnu.org Received: via spool by 20264-submit@debbugs.gnu.org id=B20264.142831372029638 (code B ref 20264); Mon, 06 Apr 2015 09:49:01 +0000 Received: (at 20264) by debbugs.gnu.org; 6 Apr 2015 09:48:40 +0000 Received: from localhost ([127.0.0.1]:45866 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf3e4-0007hx-AF for submit@debbugs.gnu.org; Mon, 06 Apr 2015 05:48:40 -0400 Received: from mo-sw1501.iij4u.or.jp ([210.130.239.241]:42693 helo=mo-sw.iij4u.or.jp) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf3e0-0007hf-Cm for 20264@debbugs.gnu.org; Mon, 06 Apr 2015 05:48:38 -0400 DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=pp.iij4u.or.jp;h=Date: Message-Id:To:Cc:Subject:From:In-Reply-To:References:Mime-Version: Content-Type:Content-Transfer-Encoding;i=arakawa@pp.iij4u.or.jp;s= 20140530.iij4u; t=1428313708; x=1429523308; bh=A5TChYj51D+SZlS0yNJF8AJ9bX8697cwy F4OVz41Z+s=; b=W33EY7+nL6xY5BmOpzewaBJGHxzklIAY3JeKkQ+E9p7DJvQDtXYMH9RNLJB/GWw yI5xfuKQScF5Z5SG8b6g4Z2nNL4bbK7jJA7mlTA/r9EbBsjMKpy3wT275bJ0Tcb6JWnpvRwb20bym HxaX/7EHHaMA/eDtBPG3TLbMwCKFuL5Rijiq6jbN291Xkxmw/FO4efEAeYWIXvWJNLaRrWql3nrPe Vf+/9dFdplPYbmrUPDUXPsxaxBD3fZ1w9EECEwDVfmN57l/ZLw2vQEmABm/SGChrdvKHHXyzHe15i atRs7h/al7TwsdurKHK9NQ4T5JIrVb7uvhLP1yrJi/BJPReA==; Received: by mo-sw.iij4u.or.jp (4u-mo-sw1501) id t369mSKa012378; Mon, 6 Apr 2015 18:48:28 +0900 Received: from localhost (corsica.s2factory.co.jp [122.220.15.114]) by mbox.iij4u.or.jp (4u-mbox1501) id t369mLJ9028515 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 6 Apr 2015 18:48:27 +0900 Date: Mon, 06 Apr 2015 18:48:11 +0900 (=?UTF-8?Q?=E6=9D=B1=E4=BA=AC?= (=?UTF-8?Q?=E6=A8=99=E6=BA=96=E6=99=82?=)) Message-Id: <20150406.184811.1180773812210980075.arakawa@pp.iij4u.or.jp> From: Koichi Arakawa In-Reply-To: <83a8yllm54.fsf@gnu.org> References: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> <83a8yllm54.fsf@gnu.org> X-Mailer: Mew version 6.6 on Emacs 25.0.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Eli Zaretskii wrote: >> for ( ; imports->Name; imports++) >> { >> char * dllname = RVA_TO_PTR (imports->Name, section, >> executable); >> >> + if (imports->Name < base || dllname >= base + real_size) >> + break; >> + > > Shouldn't that "break" be "continue" instead? IOW, shouldn't we try > all the other entries in the DLL import list? I apologize insufficient research. The *illegal* dllname actually points to another section. So the previous patch is wrong and it should be as follows. diff --git a/src/w32proc.c b/src/w32proc.c index 7d982f8..5ae55ff 100644 --- a/src/w32proc.c +++ b/src/w32proc.c @@ -1625,6 +1625,7 @@ w32_executable_type (char * filename, for ( ; imports->Name; imports++) { + section = rva_to_section (imports->Name, nt_header); char * dllname = RVA_TO_PTR (imports->Name, section, executable); -- Koichi Arakawa From unknown Sun Aug 17 00:59:04 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.503 (Entity 5.503) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Koichi Arakawa Subject: bug#20264: closed (Re: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault) Message-ID: References: <838ue5lfbg.fsf@gnu.org> <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> X-Gnu-PR-Message: they-closed 20264 X-Gnu-PR-Package: emacs X-Gnu-PR-Keywords: patch Reply-To: 20264@debbugs.gnu.org Date: Mon, 06 Apr 2015 10:31:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1428316262-1550-1" This is a multi-part message in MIME format... ------------=_1428316262-1550-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #20264: [PATCH] fix: w32_executable_type() causes a segmentation fault which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 20264@debbugs.gnu.org. --=20 20264: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D20264 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1428316262-1550-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 20264-done) by debbugs.gnu.org; 6 Apr 2015 10:30:18 +0000 Received: from localhost ([127.0.0.1]:45878 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf4IL-0000Nw-9K for submit@debbugs.gnu.org; Mon, 06 Apr 2015 06:30:17 -0400 Received: from mtaout22.012.net.il ([80.179.55.172]:46416) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yf4IH-0000Mv-Qc for 20264-done@debbugs.gnu.org; Mon, 06 Apr 2015 06:30:15 -0400 Received: from conversion-daemon.a-mtaout22.012.net.il by a-mtaout22.012.net.il (HyperSendmail v2007.08) id <0NMD00200RU6D800@a-mtaout22.012.net.il> for 20264-done@debbugs.gnu.org; Mon, 06 Apr 2015 13:30:06 +0300 (IDT) Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout22.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NMD002LTRU5C400@a-mtaout22.012.net.il>; Mon, 06 Apr 2015 13:30:06 +0300 (IDT) Date: Mon, 06 Apr 2015 13:30:11 +0300 From: Eli Zaretskii Subject: Re: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault In-reply-to: <20150406.184811.1180773812210980075.arakawa@pp.iij4u.or.jp> X-012-Sender: halo1@inter.net.il To: Koichi Arakawa Message-id: <838ue5lfbg.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=iso-2022-jp Content-transfer-encoding: 8bit References: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> <83a8yllm54.fsf@gnu.org> <20150406.184811.1180773812210980075.arakawa@pp.iij4u.or.jp> X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 20264-done Cc: 20264-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > Date: Mon, 06 Apr 2015 18:48:11 +0900 > ($BEl5~(B ($BI8=`;~(B)) > Cc: 20264@debbugs.gnu.org > From: Koichi Arakawa > > I apologize insufficient research. The *illegal* dllname actually > points to another section. So the previous patch is wrong and it > should be as follows. Thanks, I pushed it. ------------=_1428316262-1550-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 6 Apr 2015 03:24:15 +0000 Received: from localhost ([127.0.0.1]:45735 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yexe3-0004KH-07 for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:15 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41387) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yexdz-0004K1-AV for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yexdt-00049g-3O for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:47758) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexds-00049Y-Uq for submit@debbugs.gnu.org; Sun, 05 Apr 2015 23:24:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54893) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexdr-00018e-TE for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:24:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yexdm-00048Q-TK for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:24:03 -0400 Received: from mo-sw1501.iij4u.or.jp ([210.130.239.241]:50297 helo=mo-sw.iij4u.or.jp) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yexdm-00047h-1i for bug-gnu-emacs@gnu.org; Sun, 05 Apr 2015 23:23:58 -0400 DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=pp.iij4u.or.jp;h=Date: Message-Id:To:Subject:From:Mime-Version:Content-Type: Content-Transfer-Encoding;i=arakawa@pp.iij4u.or.jp;s=20140530.iij4u;t= 1428290634; x=1429500234; bh=fC2kpVlSt3TpNEv7sX9HcEZZXpafVEQEQKCU7GUtMIk=; b=fRA b3bw8ht/Fz07BHULByUrZaIL3LWP8X+lu7GhG7TCPuheXU7x2NMcrDwzPZGeva6CdbAIgDPMgzLHQ wc8dv8RfovAZeiUGMT/6ijmJqpUR2O4WagHZGvbnzXojc/N+xIq+3+XXH5Vq7WK3Cl2ZgdEmepqvG MSKuJ+zxkpwV4PJp5UDhvKh5XFg2ueahxTKOrfV00lMFw3YxgwEeTced1bYNF9wM2mt26pwZNUcEC UyKsYhd5Gdb3uo2Hgetw4tLM71q19XdCAuOhs2x8dyVGcSPUmPI7aU8xHuIdEeY8A6pK+luZw4L3T w3mo33Nhce3y0mjyCdj+lIOg55U2AZQ==; Received: by mo-sw.iij4u.or.jp (4u-mo-sw1501) id t363Ns3N006556; Mon, 6 Apr 2015 12:23:54 +0900 Received: from localhost (26.176.138.210.rev.vmobile.jp [210.138.176.26]) by mbox.iij4u.or.jp (4u-mbox1501) id t363NhWv032012 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 6 Apr 2015 12:23:52 +0900 Date: Mon, 06 Apr 2015 12:23:23 +0900 =?iso-2022-jp?B?KBskQkVsNX4bKEIgKBskQkk4PWA7fhsoQikp?= Message-Id: <20150406.122323.240448317693586769.arakawa@pp.iij4u.or.jp> To: bug-gnu-emacs@gnu.org Subject: [PATCH] fix: w32_executable_type() causes a segmentation fault From: Koichi Arakawa X-Mailer: Mew version 6.6 on Emacs 25.0.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Hi folks, On Windows platform, w32_executable_type() in src/w32proc.c scans 'dllname' in an EXE file. But there are some strange EXE files that 'dllname' points to an illegal address, for example, Microsoft's Excel (excel.exe) and PowerPoint (POWEPNT.EXE). w32_executable_type() causes a segmentation fault for those files. objdump in binutils seems to know those illegal pointers and discard them (pe_print_idata() in bfd/peXXigen.c). In the following patch, 'dllname' is checked whether it points to the valid section's address space and discarded when it's invalid. Regards, Koichi Arakawa diff --git a/src/ChangeLog b/src/ChangeLog index 1c3f933..a49fdf4 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2015-04-06 Koichi Arakawa + + * w32proc.c (w32_executable_type): Check whether 'dllname' points + to the section's address space. + 2015-04-04 Jan Dj=E4rv = * xselect.c (x_reply_selection_request) diff --git a/src/w32proc.c b/src/w32proc.c index 7d982f8..d3d9405 100644 --- a/src/w32proc.c +++ b/src/w32proc.c @@ -1618,16 +1618,23 @@ w32_executable_type (char * filename, data_dir[IMAGE_DIRECTORY_ENTRY_IMPORT]; IMAGE_IMPORT_DESCRIPTOR * imports; IMAGE_SECTION_HEADER * section; + char * base; + DWORD_PTR real_size; = section =3D rva_to_section (import_dir.VirtualAddress, n= t_header); imports =3D RVA_TO_PTR (import_dir.VirtualAddress, secti= on, executable); + base =3D RVA_TO_PTR (section->VirtualAddress, section, e= xecutable); + real_size =3D max (section->SizeOfRawData, section->Misc= .VirtualSize); = for ( ; imports->Name; imports++) { char * dllname =3D RVA_TO_PTR (imports->Name, sectio= n, executable); = + if (imports->Name < base || dllname >=3D base + real= _size) + break; + /* The exact name of the cygwin dll has changed with= various releases, but hopefully this will be reas= onably future proof. */ ------------=_1428316262-1550-1-- From unknown Sun Aug 17 00:59:04 2025 X-Loop: help-debbugs@gnu.org Subject: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault Resent-From: Koichi Arakawa Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 06 Apr 2015 17:06:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 20264 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: eliz@gnu.org Cc: 20264-done@debbugs.gnu.org Received: via spool by 20264-done@debbugs.gnu.org id=D20264.142833993612101 (code D ref 20264); Mon, 06 Apr 2015 17:06:01 +0000 Received: (at 20264-done) by debbugs.gnu.org; 6 Apr 2015 17:05:36 +0000 Received: from localhost ([127.0.0.1]:46495 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YfASu-000397-5u for submit@debbugs.gnu.org; Mon, 06 Apr 2015 13:05:36 -0400 Received: from mo-sw1501.iij4u.or.jp ([210.130.239.241]:50032 helo=mo-sw.iij4u.or.jp) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YfASq-00038n-EC for 20264-done@debbugs.gnu.org; Mon, 06 Apr 2015 13:05:34 -0400 DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=pp.iij4u.or.jp;h=Date: Message-Id:To:Cc:Subject:From:In-Reply-To:References:Mime-Version: Content-Type:Content-Transfer-Encoding;i=arakawa@pp.iij4u.or.jp;s= 20140530.iij4u; t=1428339925; x=1429549525; bh=EyOCJsnUQPD2IADgfl8B1edKqKrYIq4W6 UG8E/tcZYU=; b=qW5uZ+J6Fx24G0wtyvozSvLOi9s1o/0L4rqvaox053m6jZ1oeRbU+9CxVnd4iZt dPSD7fUzlBmmZ0VlAlouD9jiJFlK/GFNLdf4EfMMaj8+iaVJwwIGCO3NvMW9Ng88NLuDv5h06syjG OVhN8TPy0fx0Qeq2eMzi3Bn4Fgsuz/XduiaBb0OsCzv6bYyps2OhrLYhsS90cnkuSFHXznpximmak ZKjT6eecf6r+mpQshTBNM/UHNp4rLu846dvwcLwYzAkJ9lsGEjpyqxdW99InkGRdmR1RGWJxue8lp 78G3kQUAcEVwqMkyjUvzGErnUKdbTli6q/DNeVMW/TATdBqQ==; Received: by mo-sw.iij4u.or.jp (4u-mo-sw1501) id t36H5OBv011551; Tue, 7 Apr 2015 02:05:25 +0900 Received: from localhost (corsica.s2factory.co.jp [122.220.15.114]) by mbox.iij4u.or.jp (4u-mbox1501) id t36H5J45002059 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 7 Apr 2015 02:05:24 +0900 Date: Tue, 07 Apr 2015 02:04:58 +0900 (=?UTF-8?Q?=E6=9D=B1=E4=BA=AC?= (=?UTF-8?Q?=E6=A8=99=E6=BA=96=E6=99=82?=)) Message-Id: <20150407.020458.737687437371003902.arakawa@pp.iij4u.or.jp> From: Koichi Arakawa In-Reply-To: <838ue5lfbg.fsf@gnu.org> References: <83a8yllm54.fsf@gnu.org> <20150406.184811.1180773812210980075.arakawa@pp.iij4u.or.jp> <838ue5lfbg.fsf@gnu.org> X-Mailer: Mew version 6.6 on Emacs 25.0.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Eli Zaretskii wrote: >> I apologize insufficient research. The *illegal* dllname actually >> points to another section. So the previous patch is wrong and it >> should be as follows. > > Thanks, I pushed it. Thank you. I think it works fine. -- Koichi Arakawa