From unknown Fri Jun 20 20:12:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23482: 24.4; stack buffer overflow in x-send-client-message Resent-From: Kalle Olavi Niemitalo Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 08 May 2016 18:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 23482 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 23482@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.146273148824175 (code B ref -1); Sun, 08 May 2016 18:19:02 +0000 Received: (at submit) by debbugs.gnu.org; 8 May 2016 18:18:08 +0000 Received: from localhost ([127.0.0.1]:43425 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1azTHM-0006Hp-1t for submit@debbugs.gnu.org; Sun, 08 May 2016 14:18:08 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55262) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1azNoW-0006Yo-EF for submit@debbugs.gnu.org; Sun, 08 May 2016 08:28:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1azNoP-00063T-FM for submit@debbugs.gnu.org; Sun, 08 May 2016 08:27:55 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:50660) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1azNoP-00063G-CD for submit@debbugs.gnu.org; Sun, 08 May 2016 08:27:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46224) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1azNoM-0003VZ-Q2 for bug-gnu-emacs@gnu.org; Sun, 08 May 2016 08:27:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1azNoH-00062p-Ls for bug-gnu-emacs@gnu.org; Sun, 08 May 2016 08:27:50 -0400 Received: from tulikuusama2.dnainternet.net ([83.102.40.151]:51484) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1azNoH-00062P-5X for bug-gnu-emacs@gnu.org; Sun, 08 May 2016 08:27:45 -0400 Received: from localhost (localhost [127.0.0.1]) by tulikuusama2.dnainternet.net (Postfix) with ESMTP id 6682F1A23 for ; Sun, 8 May 2016 15:27:37 +0300 (EEST) X-Virus-Scanned: DNA Internet at dnainternet.net Received: from tulikuusama2.dnainternet.net ([83.102.40.151]) by localhost (tulikuusama2.dnainternet.net [127.0.0.1]) (DNA Internet, port 10040) with ESMTP id 4x72Bt5XBDck for ; Sun, 8 May 2016 15:27:36 +0300 (EEST) Received: from omenapuu2.dnainternet.net (omenapuu2.dnainternet.net [83.102.40.54]) by tulikuusama2.dnainternet.net (Postfix) with ESMTP id AD98818FD for ; Sun, 8 May 2016 15:27:36 +0300 (EEST) Received: from Niukka.Niemitalo.private (87-95-16-197.bb.dnainternet.fi [87.95.16.197]) by omenapuu2.dnainternet.net (Postfix) with ESMTP id 68766273 for ; Sun, 8 May 2016 15:27:35 +0300 (EEST) From: Kalle Olavi Niemitalo User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/23.0.51 (gnu/linux) X-Accept-Language: fi;q=1.0, en;q=0.9, sv;q=0.5, de;q=0.1 Date: Sun, 08 May 2016 15:27:34 +0300 Message-ID: <87r3dcenux.fsf@Niukka.kon.iki.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-Mailman-Approved-At: Sun, 08 May 2016 14:18:06 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.4 (----) Start emacs -Q in X, copy the following form to the *scratch* buffer, and press C-j to evaluate it. The process then crashes and glibc reports "stack smashing detected". (x-send-client-message nil nil nil "foo" 32 (make-list 100 0)) Although the docstring of x-send-client-message claims that excessive values are ignored, they are actually copied to the event.xclient.data buffer. This bug was caused in February 2004 when Fx_send_client_event was moved from xfns.c to xselect.c and the x_fill_property_data function was added. This does not seem a security vulnerability though, because Emacs fully trusts Emacs Lisp code, and if some Emacs Lisp code sends client messages based on untrusted data, then that's already a bug of its own. In my fork, I fixed this by adding a nelements_max parameter to x_fill_property_data. In GNU Emacs 24.4.1 (x86_64-pc-linux-gnu, GTK+ Version 3.14.5) of 2015-03-07 on trouble, modified by Debian Windowing system distributor `The X.Org Foundation', version 11.0.11604000 System Description: Debian GNU/Linux 8.4 (jessie) Configured using: `configure --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib --libexecdir=/usr/lib --localstatedir=/var/lib --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes --enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.4/site-lisp:/usr/share/emacs/site-lisp --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib --libexecdir=/usr/lib --localstatedir=/var/lib --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes --enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.4/site-lisp:/usr/share/emacs/site-lisp --with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall' CPPFLAGS=-D_FORTIFY_SOURCE=2 LDFLAGS=-Wl,-z,relro' Important settings: value of $LANG: fi_FI.utf8 locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: tooltip-mode: t electric-indent-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Recent input: M-x r e p o r t SPC e m a c s SPC b u g Recent messages: For information about GNU Emacs and the GNU system, type C-h C-a. Load-path shadows: None found. Features: (shadow sort gnus-util mail-extr emacsbug message format-spec rfc822 mml easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums mm-util help-fns mail-prsvr mail-utils time-date tooltip electric uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process dbusbind gfilenotify dynamic-setting system-font-setting font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs) Memory information: ((conses 16 71460 7916) (symbols 48 17673 0) (miscs 40 38 113) (strings 32 9157 4731) (string-bytes 1 250735) (vectors 16 8949) (vector-slots 8 385259 16186) (floats 8 63 68) (intervals 56 255 50) (buffers 960 11) (heap 1024 40257 948)) From unknown Fri Jun 20 20:12:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482). Resent-From: Kalle Olavi Niemitalo Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 10 May 2016 05:44:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23482 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 23482@debbugs.gnu.org Received: via spool by 23482-submit@debbugs.gnu.org id=B23482.146285899920186 (code B ref 23482); Tue, 10 May 2016 05:44:01 +0000 Received: (at 23482) by debbugs.gnu.org; 10 May 2016 05:43:19 +0000 Received: from localhost ([127.0.0.1]:45018 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b00Rz-0005FV-6I for submit@debbugs.gnu.org; Tue, 10 May 2016 01:43:19 -0400 Received: from sinikuusama2.dnainternet.net ([83.102.40.152]:41089) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b00Rw-0005FE-Ed for 23482@debbugs.gnu.org; Tue, 10 May 2016 01:43:17 -0400 Received: from localhost (localhost [127.0.0.1]) by sinikuusama2.dnainternet.net (Postfix) with ESMTP id BB50FD05A for <23482@debbugs.gnu.org>; Tue, 10 May 2016 08:43:09 +0300 (EEST) X-Virus-Scanned: DNA Internet at dnainternet.net X-Spam-Flag: NO X-Spam-Score: 0.652 X-Spam-Level: X-Spam-Status: No, score=0.652 tagged_above=-9999 required=6 tests=[SPF_NEUTRAL=0.652] autolearn=disabled Received: from sinikuusama2.dnainternet.net ([83.102.40.152]) by localhost (sinikuusama2.dnainternet.net [127.0.0.1]) (DNA Internet, port 10040) with ESMTP id jFb_E2KXgLGq for <23482@debbugs.gnu.org>; Tue, 10 May 2016 08:43:09 +0300 (EEST) Received: from omenapuu2.dnainternet.net (omenapuu2.dnainternet.net [83.102.40.54]) by sinikuusama2.dnainternet.net (Postfix) with ESMTP id 7075AD0B3 for <23482@debbugs.gnu.org>; Tue, 10 May 2016 08:43:09 +0300 (EEST) Received: from Niukka.Niemitalo.private (87-95-149-214.bb.dnainternet.fi [87.95.149.214]) by omenapuu2.dnainternet.net (Postfix) with ESMTP id 406DD273 for <23482@debbugs.gnu.org>; Tue, 10 May 2016 08:43:08 +0300 (EEST) From: Kalle Olavi Niemitalo Keywords: Emacs,patch,bit rot In-Reply-To: <87r3dcenux.fsf@Niukka.kon.iki.fi> (Kalle Olavi Niemitalo's message of "Sun, 08 May 2016 15:27:34 +0300") References: <87r3dcenux.fsf@Niukka.kon.iki.fi> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/23.0.51 (gnu/linux) X-Accept-Language: fi;q=1.0, en;q=0.9, sv;q=0.5, de;q=0.1 Date: Tue, 10 May 2016 08:43:07 +0300 Message-ID: <87a8jyeadw.fsf@Niukka.kon.iki.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) The docstring already said that excessive values are ignored, but they instead overflowed the buffer. This does not seem a security vulnerability though, because Emacs fully trusts Emacs Lisp code, and if some Emacs Lisp code sends client messages based on untrusted data, then that's already a bug of its own. 2016-05-08 Kalle Olavi Niemitalo * xselect.c (x_fill_property_data): Add parameter NELEMENTS_MAX. * xterm.h (x_fill_property_data): Update prototype. * xselect.c (Fx_send_client_event): Update call. This fixes a buffer overflow in event.xclient.data. * xfns.c (Fx_change_window_property): Update call. --- This patch is for Emacs 22.1 and includes the prominent notices required by clause 2a of GPLv2. I do not intend to assign copyright to the FSF. In Emacs 22.1, Fx_send_client_event has other bugs that this patch does not fix. It should clear event.xclient.data.l rather than event.xclient.data.b, and the mask 0xffff in events sent to the root window does not include the SubstructureNotify and SubstructureRedirect bits required by "Extended Window Manager Hints" version 1.1. Date: Sun, 8 May 2016 11:33:44 +0300 src/xfns.c | 5 ++++- src/xselect.c | 17 +++++++++++++---- src/xterm.h | 3 +++ 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/src/xfns.c b/src/xfns.c index d269dfb..00e28db 100644 --- a/src/xfns.c +++ b/src/xfns.c @@ -19,6 +19,8 @@ along with GNU Emacs; see the file COPYING. If not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ +/* Modified on 2016-05-08 by Kalle Olavi Niemitalo. */ + #include #include #include @@ -4255,7 +4257,8 @@ Value is VALUE. */) converts to 32 bits before sending to the X server. */ data = (unsigned char *) xmalloc (nelements * sizeof(long)); - x_fill_property_data (FRAME_X_DISPLAY (f), value, data, element_format); + x_fill_property_data (FRAME_X_DISPLAY (f), value, data, nelements, + element_format); } else { diff --git a/src/xselect.c b/src/xselect.c index 3fe109a..5d4ef9c 100644 --- a/src/xselect.c +++ b/src/xselect.c @@ -21,6 +21,7 @@ Boston, MA 02110-1301, USA. */ /* Rewritten by jwz */ +/* Modified on 2016-05-08 by Kalle Olavi Niemitalo. */ #include #include /* termhooks.h needs this */ @@ -2526,27 +2527,32 @@ x_check_property_data (data) DPY is the display use to look up X atoms. DATA is a Lisp list of values to be converted. - RET is the C array that contains the converted values. It is assumed - it is big enough to hold all values. + RET is the C array that contains the converted values. + NELEMENTS_MAX is the number of values that will fit in RET. + Any excess values in DATA are ignored. FORMAT is 8, 16 or 32 and denotes char/short/long for each C value to be stored in RET. Note that long is used for 32 even if long is more than 32 bits (see man pages for XChangeProperty, XGetWindowProperty and XClientMessageEvent). */ void -x_fill_property_data (dpy, data, ret, format) +x_fill_property_data (dpy, data, ret, nelements_max, format) Display *dpy; Lisp_Object data; void *ret; + int nelements_max; int format; { long val; long *d32 = (long *) ret; short *d16 = (short *) ret; char *d08 = (char *) ret; + int nelements; Lisp_Object iter; - for (iter = data; CONSP (iter); iter = XCDR (iter)) + for (iter = data, nelements = 0; + CONSP (iter) && nelements < nelements_max; + iter = XCDR (iter), nelements++) { Lisp_Object o = XCAR (iter); @@ -2883,7 +2889,10 @@ are ignored. */) memset (event.xclient.data.b, 0, sizeof (event.xclient.data.b)); + + /* event.xclient.data can hold 20 chars, 10 shorts, or 5 longs. */ x_fill_property_data (dpyinfo->display, values, event.xclient.data.b, + 5 * 32 / event.xclient.format, event.xclient.format); /* If event mask is 0 the event is sent to the client that created diff --git a/src/xterm.h b/src/xterm.h index 13b0b49..968ead7 100644 --- a/src/xterm.h +++ b/src/xterm.h @@ -19,6 +19,8 @@ along with GNU Emacs; see the file COPYING. If not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ +/* Modified on 2016-05-08 by Kalle Olavi Niemitalo. */ + #include #include @@ -1032,6 +1034,7 @@ extern int x_check_property_data P_ ((Lisp_Object)); extern void x_fill_property_data P_ ((Display *, Lisp_Object, void *, + int, int)); extern Lisp_Object x_property_data_to_lisp P_ ((struct frame *, unsigned char *, -- 2.1.4 From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 19 06:50:21 2020 Received: (at control) by debbugs.gnu.org; 19 Jan 2020 11:50:22 +0000 Received: from localhost ([127.0.0.1]:42715 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1it95x-0003wx-Lt for submit@debbugs.gnu.org; Sun, 19 Jan 2020 06:50:21 -0500 Received: from ted.gofardesign.uk ([67.225.143.91]:35530) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1it95t-0003wj-MH for control@debbugs.gnu.org; Sun, 19 Jan 2020 06:50:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=marxist.se; s=default; h=Subject:From:To:Date:Sender:Reply-To:Message-ID:Cc:MIME-Version :Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=M+Xh27dbWzIrTOhadQIURsMG5gsrWCA0HeXGtx6RRw0=; b=eAiL97LeWXXz4JFn5XSsUuk6BP S7mVUOrHpshRHdfXJ6jmTt+BTAPVPZFEzk8ODgZ23cy8TBt28h0/525dmpT105Kfo+zRf9mFmQ8Vx LS8Oe47/KgviEb6JA/XXU0RYZl0FFuBbwdbMVMJVW8tMtVxdKcMJjg/U3yr7DERfBGVilAoPiZFDR M6J/PAqVoHlTqb2TNVxb3Nx1UBHFpWjD2aXqJIQpRnvrXZpQC0RawUnNr2hdJCwGZXJf9CUO6Umdc pFnJmnj1m0QVGZoa3misXnvTBOzI3RxAmdgBQp4YsIAqq7ehabDc5kaImMyqaGFnaOJavmPczzSU8 4/Osl0EA==; Received: from h-70-69.a785.priv.bahnhof.se ([155.4.70.69]:56494 helo=localhost) by ted.gofardesign.uk with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from ) id 1it95n-001GDr-GB for control@debbugs.gnu.org; Sun, 19 Jan 2020 06:50:11 -0500 Date: Sun, 19 Jan 2020 12:50:09 +0100 To: control@debbugs.gnu.org From: Stefan Kangas Subject: control message for bug #23482 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ted.gofardesign.uk X-AntiAbuse: Original Domain - debbugs.gnu.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - marxist.se X-Get-Message-Sender-Via: ted.gofardesign.uk: authenticated_id: stefan@marxist.se X-Authenticated-Sender: ted.gofardesign.uk: stefan@marxist.se X-Source: X-Source-Args: X-Source-Dir: X-Spam-Score: 0.1 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" Message-Id: X-Spam-Score: -1.0 (-) tags 23482 + patch quit From unknown Fri Jun 20 20:12:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482). Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 11 Aug 2020 15:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23482 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: Kalle Olavi Niemitalo Cc: 23482@debbugs.gnu.org Received: via spool by 23482-submit@debbugs.gnu.org id=B23482.159716006213448 (code B ref 23482); Tue, 11 Aug 2020 15:35:01 +0000 Received: (at 23482) by debbugs.gnu.org; 11 Aug 2020 15:34:22 +0000 Received: from localhost ([127.0.0.1]:41479 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k5WI9-0003Up-Qg for submit@debbugs.gnu.org; Tue, 11 Aug 2020 11:34:22 -0400 Received: from quimby.gnus.org ([95.216.78.240]:33828) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k5WI8-0003Uc-Df for 23482@debbugs.gnu.org; Tue, 11 Aug 2020 11:34:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=lgL0Ictt7uLB5wlKxrRckfymyfUD+ZQeKTbI0dM5TTk=; b=jW+1sIK1id8QlEefD4RRlJ8Nkk jn3Krex+X2IE3fXP+d9I21jbQ2gorT5whbYtpnvRSivXi4aV0ABEZ4cEKa7k5YHpOeZvKWk1WkHoG F1KCkJBupTV2mOL5MLVG24s2HUQ+eq5FIzpyjEF4vnpZ60sIB/DDYhTD3sOfQEMIW0Wo=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k5WHz-0005fV-EB; Tue, 11 Aug 2020 17:34:14 +0200 From: Lars Ingebrigtsen References: <87r3dcenux.fsf@Niukka.kon.iki.fi> <87a8jyeadw.fsf@Niukka.kon.iki.fi> Date: Tue, 11 Aug 2020 17:34:05 +0200 In-Reply-To: <87a8jyeadw.fsf@Niukka.kon.iki.fi> (Kalle Olavi Niemitalo's message of "Tue, 10 May 2016 08:43:07 +0300") Message-ID: <87y2mlryc2.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Kalle Olavi Niemitalo writes: > The docstring already said that excessive values are ignored, > but they instead overflowed the buffer. > > This does not seem a security vulnerability though, because Emacs fully > trusts Emacs Lis [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Kalle Olavi Niemitalo writes: > The docstring already said that excessive values are ignored, > but they instead overflowed the buffer. > > This does not seem a security vulnerability though, because Emacs fully > trusts Emacs Lisp code, and if some Emacs Lisp code sends client > messages based on untrusted data, then that's already a bug of its own. > > 2016-05-08 Kalle Olavi Niemitalo > > * xselect.c (x_fill_property_data): Add parameter NELEMENTS_MAX. > * xterm.h (x_fill_property_data): Update prototype. > * xselect.c (Fx_send_client_event): Update call. This fixes > a buffer overflow in event.xclient.data. > * xfns.c (Fx_change_window_property): Update call. Sorry; it doesn't seem like you got a response to this patch at the time. To recap: The following will crash Emacs, so don't eval it: (x-send-client-message nil nil nil "foo" 32 (make-list 100 0)) I can confirm that this problem is still present in Emacs 28, and that Kalle's patch fixes it. It looks pretty straight-forward, but does anybody have any comments here? I've included the re-spun patch for Emacs 28 below. > This patch is for Emacs 22.1 and includes the prominent notices > required by clause 2a of GPLv2. I'm not sure what that means? > I do not intend to assign copyright to the FSF. It's less than ten lines, so that shouldn't be necessary. diff --git a/src/xfns.c b/src/xfns.c index 09dcbbfb92..0203c1324f 100644 --- a/src/xfns.c +++ b/src/xfns.c @@ -5890,7 +5890,8 @@ DEFUN ("x-change-window-property", Fx_change_window_property, elsize = element_format == 32 ? sizeof (long) : element_format >> 3; data = xnmalloc (nelements, elsize); - x_fill_property_data (FRAME_X_DISPLAY (f), value, data, element_format); + x_fill_property_data (FRAME_X_DISPLAY (f), value, data, nelements, + element_format); } else { diff --git a/src/xselect.c b/src/xselect.c index 48d6215a7b..5234bccbd9 100644 --- a/src/xselect.c +++ b/src/xselect.c @@ -2276,23 +2276,28 @@ x_check_property_data (Lisp_Object data) DPY is the display use to look up X atoms. DATA is a Lisp list of values to be converted. - RET is the C array that contains the converted values. It is assumed - it is big enough to hold all values. + RET is the C array that contains the converted values. + NELEMENTS_MAX is the number of values that will fit in RET. + Any excess values in DATA are ignored. FORMAT is 8, 16 or 32 and denotes char/short/long for each C value to be stored in RET. Note that long is used for 32 even if long is more than 32 bits (see man pages for XChangeProperty, XGetWindowProperty and XClientMessageEvent). */ void -x_fill_property_data (Display *dpy, Lisp_Object data, void *ret, int format) +x_fill_property_data (Display *dpy, Lisp_Object data, void *ret, + int nelements_max, int format) { unsigned long val; unsigned long *d32 = (unsigned long *) ret; unsigned short *d16 = (unsigned short *) ret; unsigned char *d08 = (unsigned char *) ret; + int nelements; Lisp_Object iter; - for (iter = data; CONSP (iter); iter = XCDR (iter)) + for (iter = data, nelements = 0; + CONSP (iter) && nelements < nelements_max; + iter = XCDR (iter), nelements++) { Lisp_Object o = XCAR (iter); @@ -2593,7 +2598,9 @@ x_send_client_event (Lisp_Object display, Lisp_Object dest, Lisp_Object from, event.xclient.window = to_root ? FRAME_OUTER_WINDOW (f) : wdest; memset (event.xclient.data.l, 0, sizeof (event.xclient.data.l)); + /* event.xclient.data can hold 20 chars, 10 shorts, or 5 longs. */ x_fill_property_data (dpyinfo->display, values, event.xclient.data.b, + 5 * 32 / event.xclient.format, event.xclient.format); /* If event mask is 0 the event is sent to the client that created diff --git a/src/xterm.h b/src/xterm.h index bc10043c54..db8d584781 100644 --- a/src/xterm.h +++ b/src/xterm.h @@ -1207,6 +1207,7 @@ x_mutable_colormap (Visual *visual) extern void x_fill_property_data (Display *, Lisp_Object, void *, + int, int); extern Lisp_Object x_property_data_to_lisp (struct frame *, const unsigned char *, -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 11 11:34:37 2020 Received: (at control) by debbugs.gnu.org; 11 Aug 2020 15:34:37 +0000 Received: from localhost ([127.0.0.1]:41482 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k5WIP-0003VL-5s for submit@debbugs.gnu.org; Tue, 11 Aug 2020 11:34:37 -0400 Received: from quimby.gnus.org ([95.216.78.240]:33842) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k5WIN-0003V9-UO for control@debbugs.gnu.org; Tue, 11 Aug 2020 11:34:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZEywKoRWyJE5I1gUHaEM1l48Ny8T3f0A2DixFsAY9ZA=; b=gXVW3nmmxWXHo1r2fVnPVMBz6m 0qxWPJtcWdujSoykJNWA8HbA1DjSG/c9NReCVozABIpAkjk0Kk8TgLHKQoO6JbpSBZNgxt22fn1cT ZUhyHrTil5Gq8z7FCCUMeHNTY8Tvzh7704kv1fXmXyyta10YD0YccvmYnrhXrIBUJJts=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k5WIG-0005fh-6h for control@debbugs.gnu.org; Tue, 11 Aug 2020 17:34:30 +0200 Date: Tue, 11 Aug 2020 17:34:26 +0200 Message-Id: <87wo25rybh.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #23482 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 23482 + confirmed quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 23482 + confirmed quit From unknown Fri Jun 20 20:12:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482). Resent-From: Kalle Olavi Niemitalo Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 18 Aug 2020 07:16:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23482 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch confirmed To: Lars Ingebrigtsen Cc: 23482@debbugs.gnu.org Received: via spool by 23482-submit@debbugs.gnu.org id=B23482.159773490826876 (code B ref 23482); Tue, 18 Aug 2020 07:16:01 +0000 Received: (at 23482) by debbugs.gnu.org; 18 Aug 2020 07:15:08 +0000 Received: from localhost ([127.0.0.1]:33794 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k7vps-0006zQ-9V for submit@debbugs.gnu.org; Tue, 18 Aug 2020 03:15:08 -0400 Received: from sirokuusama2.dnainternet.net ([83.102.40.153]:38416) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k7vpo-0006yY-CA for 23482@debbugs.gnu.org; Tue, 18 Aug 2020 03:15:07 -0400 Received: from localhost (localhost [127.0.0.1]) by sirokuusama2.dnainternet.net (Postfix) with ESMTP id 5F04D14A3A; Tue, 18 Aug 2020 10:14:57 +0300 (EEST) X-Virus-Scanned: DNA Internet at dnainternet.net X-Spam-Flag: NO X-Spam-Score: 0.653 X-Spam-Level: X-Spam-Status: No, score=0.653 tagged_above=-9999 required=6 tests=[SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.652] autolearn=disabled Received: from sirokuusama2.dnainternet.net ([83.102.40.153]) by localhost (sirokuusama2.dnainternet.net [127.0.0.1]) (DNA Internet, port 10041) with ESMTP id TMl5ZlBdaWFW; Tue, 18 Aug 2020 10:14:57 +0300 (EEST) Received: from kirsikkapuu2.dnainternet.net (kirsikkapuu2.dnainternet.net [83.102.40.52]) by sirokuusama2.dnainternet.net (Postfix) with ESMTP id 1DC0614C19; Tue, 18 Aug 2020 10:14:57 +0300 (EEST) Received: from Niukka.Niemitalo.private (37-136-8-216.rev.dnainternet.fi [37.136.8.216]) by kirsikkapuu2.dnainternet.net (Postfix) with ESMTP id CBCC83FEE; Tue, 18 Aug 2020 10:14:54 +0300 (EEST) From: Kalle Olavi Niemitalo Keywords: GNU General Public License,prominent notices In-Reply-To: <87y2mlryc2.fsf@gnus.org> (Lars Ingebrigtsen's message of "Tue, 11 Aug 2020 17:34:05 +0200") References: <87r3dcenux.fsf@Niukka.kon.iki.fi> <87a8jyeadw.fsf@Niukka.kon.iki.fi> <87y2mlryc2.fsf@gnus.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/23.0.51 (gnu/linux) X-Accept-Language: fi;q=1.0, en;q=0.9, sv;q=0.5, de;q=0.1 Date: Tue, 18 Aug 2020 10:13:46 +0300 Message-ID: <87mu2s5sut.fsf@Niukka.kon.iki.fi> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Transfer-Encoding: quoted-printable Lars Ingebrigtsen writes: > Kalle Olavi Niemitalo writes: > >> This patch is for Emacs 22.1 and includes the prominent notices >> required by clause 2a of GPLv2.=20 > > I'm not sure what that means? The paragraph refers to this comment, which I added to the "modified files" src/xterm.h and src/xselect.c in my fork and included in the patch: /* Modified on 2016-05-08 by Kalle Olavi Niemitalo. */ --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEUEARECAAYFAl87f7MACgkQHm9IGt60eMj3KwCUC/f+4skuRZhyONGtEPgextli EgCfV6ejAIJ/lTAkv/xPNFTom5NGny8= =77GX -----END PGP SIGNATURE----- --=-=-=-- From unknown Fri Jun 20 20:12:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#23482: [PATCH 22.1] Fix buffer overflow in x-send-client-message (Bug#23482). Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 18 Aug 2020 15:02:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23482 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch confirmed To: Kalle Olavi Niemitalo Cc: 23482@debbugs.gnu.org Received: via spool by 23482-submit@debbugs.gnu.org id=B23482.159776288625978 (code B ref 23482); Tue, 18 Aug 2020 15:02:01 +0000 Received: (at 23482) by debbugs.gnu.org; 18 Aug 2020 15:01:26 +0000 Received: from localhost ([127.0.0.1]:36680 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k8377-0006kg-QW for submit@debbugs.gnu.org; Tue, 18 Aug 2020 11:01:26 -0400 Received: from quimby.gnus.org ([95.216.78.240]:33626) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k8376-0006el-Bu for 23482@debbugs.gnu.org; Tue, 18 Aug 2020 11:01:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OobhXr2mXyhIDBgMDgtroSwk8+EZsboLu+EagQaqbLA=; b=r1XpvAHjJbcXOJ++qx5m3mF87n /EbmbnELOSzJH/f+tc5LVMD/LI1o8L+/Xm5ilmiEs/+HHJhHNQ8gpaax/RWu/KOtO0fpg2jXZDSBI EvJaC3EQTU3evEobnwlCurNWK6KfcTp8VDUgBimHJl2hEj2agtwDGlcNbvrJailVzGGE=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k836x-00085D-N1; Tue, 18 Aug 2020 17:01:18 +0200 From: Lars Ingebrigtsen References: <87r3dcenux.fsf@Niukka.kon.iki.fi> <87a8jyeadw.fsf@Niukka.kon.iki.fi> <87y2mlryc2.fsf@gnus.org> <87mu2s5sut.fsf@Niukka.kon.iki.fi> X-Now-Playing: Cocteau Twins's _The Pink Opaque_: "Akea-Guinea" Date: Tue, 18 Aug 2020 17:01:14 +0200 In-Reply-To: <87mu2s5sut.fsf@Niukka.kon.iki.fi> (Kalle Olavi Niemitalo's message of "Tue, 18 Aug 2020 10:13:46 +0300") Message-ID: <871rk4j8w5.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Kalle Olavi Niemitalo writes: >>> This patch is for Emacs 22.1 and includes the prominent notices >>> required by clause 2a of GPLv2. >> >> I'm not sure what that means? > > The paragraph refers to this comment, which I added to t [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Kalle Olavi Niemitalo writes: >>> This patch is for Emacs 22.1 and includes the prominent notices >>> required by clause 2a of GPLv2. >> >> I'm not sure what that means? > > The paragraph refers to this comment, which I added to the > "modified files" src/xterm.h and src/xselect.c in my fork and > included in the patch: > > /* Modified on 2016-05-08 by Kalle Olavi Niemitalo. */ OK, I see. Anyway, thanks for the patch, I'm applying it to Emacs 28. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 18 11:05:26 2020 Received: (at control) by debbugs.gnu.org; 18 Aug 2020 15:05:26 +0000 Received: from localhost ([127.0.0.1]:36684 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k83B0-0007pb-AJ for submit@debbugs.gnu.org; Tue, 18 Aug 2020 11:05:26 -0400 Received: from quimby.gnus.org ([95.216.78.240]:33680) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k83Ay-0007pN-3D for control@debbugs.gnu.org; Tue, 18 Aug 2020 11:05:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0lwsCDagke/uFlukkZSXqreDK8SlHIZwTQH6HKNg67Q=; b=Y6/0G5ztuN2gponqjVCmiZWkjH VmZvtri8hjcgQofVpEfpA3+9HN0rWxFgeOsAQ/uM7uvRhPjI0rQDnhluNfZnMal6fsX5rvUPXqA6a /sgjw21mIUP7SCe3QLXpCXMQiGh74FDUpMOJDx8XaZDSolYaZveTPZbsKP6m34uXNvlA=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k83Aq-00088I-Eh for control@debbugs.gnu.org; Tue, 18 Aug 2020 17:05:18 +0200 Date: Tue, 18 Aug 2020 17:05:15 +0200 Message-Id: <87zh6shu50.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #23482 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 23482 fixed close 23482 28.1 quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 23482 fixed close 23482 28.1 quit