GNU bug report logs - #2370
23.0.90; decode-coding-region make emacs crash

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 2370 in the body.
You can then email your comments to 2370 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> emacsbugs.donarmstrong.com (full text, mbox):

From: Hiroshi Fujishima <h-fujishima <at> sakura.ad.jp>
To: emacs-pretest-bug <at> gnu.org
Subject: 23.0.90; decode-coding-region make emacs crash
Date: Wed, 18 Feb 2009 12:39:57 +0900

[Message part 1 (text/plain, inline)]

Please describe exactly what actions triggered the bug
and the precise symptoms of the bug:

gunzip yyy.gz and eval following:

(with-temp-buffer
  (insert-file-contents-literally "~/yyy")
  (decode-coding-region (point-min) (point-max) 'undecided))

[yyy.gz (application/octet-stream, attachment)]

[Message part 3 (text/plain, inline)]

If Emacs crashed, and you have the Emacs process in the gdb debugger,
please include the output from the following gdb commands:
    `bt full' and `xbacktrace'.
If you would like to further debug the crash, please read the file
/usr/local/share/emacs/23.0.90/etc/DEBUG for instructions.

(gdb) bt full
#0  0x28ccba07 in kill () from /lib/libc.so.7
No symbol table info available.
#1  0x0811c7e4 in fatal_error_signal (sig=11) at emacs.c:403
No locals.
#2  <signal handler called>
No symbol table info available.
#3  Fdecode_coding_region (start=Cannot access memory at address 0xbf0a2329
) at coding.c:8639
No locals.
Previous frame inner to this frame (corrupt stack?)
(gdb) xbacktrace
"decode-coding-region" (0xbfbfe070)
"progn" (0xbfbfe134)
"unwind-protect" (0xbfbfe1d4)
"save-current-buffer" (0xbfbfe284)
"with-current-buffer" (0xbfbfe304)
"let" (0xbfbfe3e4)
"with-temp-buffer" (0xbfbfe464)
"eval" (0xbfbfe508)
"eval-last-sexp-1" (0xbfbfe634)
"eval-last-sexp" (0xbfbfe7b4)
"call-interactively" (0xbfbfe974)

In GNU Emacs 23.0.90.1 (i386-unknown-freebsd7.1, GTK+ Version 2.14.7)
 of 2009-02-16 on sea.sakura.ad.jp
Windowing system distributor `Colin Harrison', version 11.0.70400002
configured using `configure  '--without-freetype' '--without-xft''

Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: nil
  value of $LC_CTYPE: ja_JP.eucJP
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: nil
  value of $XMODIFIERS: nil
  locale-coding-system: japanese-iso-8bit-unix
  default-enable-multibyte-characters: t

Major mode: Group

Minor modes in effect:
  gnus-topic-mode: t
  gnus-undo-mode: t
  auto-insert-mode: t
  iswitchb-mode: t
  tooltip-mode: t
  tool-bar-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  global-auto-composition-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
ESC x r e p o r <tab> <return>

Recent messages:
nnml: Reading incoming mail (3 new)...done
Reading active file via nnml...done
Generating the cache active file...done
No new newsgroups
Checking new news...done

Message #10 received at 2370 <at> emacsbugs.donarmstrong.com (full text, mbox):

From: Chong Yidong <cyd <at> stupidchicken.com>
To: Kenichi Handa  <handa <at> m17n.org>
Cc: Hiroshi Fujishima <h-fujishima <at> sakura.ad.jp>,
        2370 <at> debbugs.gnu.org
Subject: Re: 23.0.90; decode-coding-region make emacs crash
Date: Wed, 18 Feb 2009 19:17:56 -0500

Hi Handa-san,

Please take a look at this bug:

http://debbugs.gnu.org/cgi/bugreport.cgi?bug=2370

The crash occurs because of memory corruption due to overwriting the
carrover buffer at line 6809 of coding.c.  For the sample provided by
the OP, (coding->src_bytes - coding->consumed) == 99.  This looks like a
bug in decode_coding_iso_2022.

Message #15 received at 2370 <at> emacsbugs.donarmstrong.com (full text, mbox):

From: Kenichi Handa <handa <at> m17n.org>
To: Chong Yidong <cyd <at> stupidchicken.com>
Cc: h-fujishima <at> sakura.ad.jp, 2370 <at> debbugs.gnu.org
Subject: Re: 23.0.90; decode-coding-region make emacs crash
Date: Thu, 19 Feb 2009 11:46:51 +0900

In article <87zlgjwa8b.fsf <at> cyd.mit.edu>, Chong Yidong <cyd <at> stupidchicken.com> writes:

> Hi Handa-san,
> Please take a look at this bug:

> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=2370

> The crash occurs because of memory corruption due to overwriting the
> carrover buffer at line 6809 of coding.c.  For the sample provided by
> the OP, (coding->src_bytes - coding->consumed) == 99.  This looks like a
> bug in decode_coding_iso_2022.

I found two bugs related to this problem, and just installed
a fix for one of them.  Now the above specific problem
should be fixed.  I'll keep on workning to fix the other bug
to make the decoding more robust.

---
Kenichi Handa
handa <at> m17n.org

Message #20 received at 2370 <at> emacsbugs.donarmstrong.com (full text, mbox):

From: Chong Yidong <cyd <at> stupidchicken.com>
To: Kenichi Handa <handa <at> m17n.org>
Cc: h-fujishima <at> sakura.ad.jp, 2370 <at> debbugs.gnu.org
Subject: Re: 23.0.90; decode-coding-region make emacs crash
Date: Wed, 18 Feb 2009 22:06:34 -0500

Kenichi Handa <handa <at> m17n.org> writes:

> I found two bugs related to this problem, and just installed
> a fix for one of them.  Now the above specific problem
> should be fixed.  I'll keep on workning to fix the other bug
> to make the decoding more robust.

Thanks.  I think decode_coding should also verify the size of the
unprocessed bytes before writing them to coding->carrover.  This way,
future bugs of this sort will not cause memory corruption (which might
be a security concern).  What's your opinion?

Message #25 received at 2370 <at> emacsbugs.donarmstrong.com (full text, mbox):

From: Kenichi Handa <handa <at> m17n.org>
To: Chong Yidong <cyd <at> stupidchicken.com>
Cc: h-fujishima <at> sakura.ad.jp, 2370 <at> debbugs.gnu.org
Subject: Re: 23.0.90; decode-coding-region make emacs crash
Date: Thu, 19 Feb 2009 12:56:42 +0900

In article <87d4dfqg5h.fsf <at> cyd.mit.edu>, Chong Yidong <cyd <at> stupidchicken.com> writes:

> Kenichi Handa <handa <at> m17n.org> writes:
> > I found two bugs related to this problem, and just installed
> > a fix for one of them.  Now the above specific problem
> > should be fixed.  I'll keep on workning to fix the other bug
> > to make the decoding more robust.

> Thanks.  I think decode_coding should also verify the size of the
> unprocessed bytes before writing them to coding->carrover.  This way,
> future bugs of this sort will not cause memory corruption (which might
> be a security concern).  What's your opinion?

Yes.  I'm going to add such a check.

But it doesn't solve the underlying problem of handling too
long (and wrong) composition sequence in iso-2022 decoding.
Solving it requires a little bit more time.

---
Kenichi Handa
handa <at> m17n.org

Message #30 received at 2370 <at> emacsbugs.donarmstrong.com (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Kenichi Handa <handa <at> m17n.org>, 2370 <at> debbugs.gnu.org
Cc: emacs-devel <at> gnu.org
Subject: Re: bug#2370: 23.0.90; decode-coding-region make emacs crash
Date: Thu, 19 Feb 2009 06:14:54 +0200

> From: Kenichi Handa <handa <at> m17n.org>
> Date: Thu, 19 Feb 2009 11:46:51 +0900
> Cc: h-fujishima <at> sakura.ad.jp, 2370 <at> emacsbugs.donarmstrong.com
> 
> I found two bugs related to this problem, and just installed
> a fix for one of them.  Now the above specific problem
> should be fixed.

Thanks.

Please be sure to mention the bug report number in the ChangeLog entry
for the change that fixes the bug.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.