From unknown Sun Jun 15 08:54:56 2025 X-Loop: owner@emacsbugs.donarmstrong.com Subject: bug#2370: 23.0.90; decode-coding-region make emacs crash Reply-To: Hiroshi Fujishima , 2370@debbugs.gnu.org Resent-From: Hiroshi Fujishima Resent-To: bug-submit-list@lists.donarmstrong.com Resent-CC: Emacs Bugs Resent-Date: Wed, 18 Feb 2009 03:45:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-Emacs-PR-Message: report 2370 X-Emacs-PR-Package: emacs X-Emacs-PR-Keywords: Received: via spool by submit@emacsbugs.donarmstrong.com id=B.123492841317988 (code B ref -1); Wed, 18 Feb 2009 03:45:03 +0000 Received: (at submit) by emacsbugs.donarmstrong.com; 18 Feb 2009 03:40:13 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: * X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=1.1 required=4.0 tests=FOURLA,IMPRONONCABLE_2 autolearn=no version=3.2.5-bugs.debian.org_2005_01_02 Received: from fencepost.gnu.org (fencepost.gnu.org [140.186.70.10]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id n1I3e8Lx017505 for ; Tue, 17 Feb 2009 19:40:09 -0800 Received: from mx10.gnu.org ([199.232.76.166]:56715) by fencepost.gnu.org with esmtp (Exim 4.67) (envelope-from ) id 1LZdG5-0000E9-ED for emacs-pretest-bug@gnu.org; Tue, 17 Feb 2009 22:38:01 -0500 Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1LZdI5-0006u5-Ec for emacs-pretest-bug@gnu.org; Tue, 17 Feb 2009 22:40:06 -0500 Received: from mail.sakura.ad.jp ([210.224.172.11]:50828) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1LZdI4-0006tA-Ob for emacs-pretest-bug@gnu.org; Tue, 17 Feb 2009 22:40:05 -0500 Received: from sea.sakura.ad.jp ([172.25.1.222]) by mail.sakura.ad.jp (8.14.3/8.14.3) with ESMTP id n1I3dvtc098030 for ; Wed, 18 Feb 2009 12:39:58 +0900 (JST) (envelope-from h-fujishima@sakura.ad.jp) From: Hiroshi Fujishima To: emacs-pretest-bug@gnu.org Date: Wed, 18 Feb 2009 12:39:57 +0900 Message-ID: <86zlgks99u.fsf@sakura.ad.jp> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.90 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by monty-python.gnu.org: Genre and OS details not recognized. --=-=-= Please describe exactly what actions triggered the bug and the precise symptoms of the bug: gunzip yyy.gz and eval following: (with-temp-buffer (insert-file-contents-literally "~/yyy") (decode-coding-region (point-min) (point-max) 'undecided)) --=-=-= Content-Type: application/octet-stream Content-Disposition: attachment; filename=yyy.gz Content-Transfer-Encoding: base64 H4sICMKBm0kAA3l5eQCTVtFxMLXLVzVXTVZ1VvVQdVBVUy1WsVJUktZwKkpNys8vUZA2UFFTVObi ktYH0kqq/oo2qp5AVeqqSqpZquGqOaoqqpYqOp46vuFAVVUIoCBNtNkAz4wBI4YAAAA= --=-=-= If Emacs crashed, and you have the Emacs process in the gdb debugger, please include the output from the following gdb commands: `bt full' and `xbacktrace'. If you would like to further debug the crash, please read the file /usr/local/share/emacs/23.0.90/etc/DEBUG for instructions. (gdb) bt full #0 0x28ccba07 in kill () from /lib/libc.so.7 No symbol table info available. #1 0x0811c7e4 in fatal_error_signal (sig=11) at emacs.c:403 No locals. #2 No symbol table info available. #3 Fdecode_coding_region (start=Cannot access memory at address 0xbf0a2329 ) at coding.c:8639 No locals. Previous frame inner to this frame (corrupt stack?) (gdb) xbacktrace "decode-coding-region" (0xbfbfe070) "progn" (0xbfbfe134) "unwind-protect" (0xbfbfe1d4) "save-current-buffer" (0xbfbfe284) "with-current-buffer" (0xbfbfe304) "let" (0xbfbfe3e4) "with-temp-buffer" (0xbfbfe464) "eval" (0xbfbfe508) "eval-last-sexp-1" (0xbfbfe634) "eval-last-sexp" (0xbfbfe7b4) "call-interactively" (0xbfbfe974) In GNU Emacs 23.0.90.1 (i386-unknown-freebsd7.1, GTK+ Version 2.14.7) of 2009-02-16 on sea.sakura.ad.jp Windowing system distributor `Colin Harrison', version 11.0.70400002 configured using `configure '--without-freetype' '--without-xft'' Important settings: value of $LC_ALL: nil value of $LC_COLLATE: nil value of $LC_CTYPE: ja_JP.eucJP value of $LC_MESSAGES: nil value of $LC_MONETARY: nil value of $LC_NUMERIC: nil value of $LC_TIME: nil value of $LANG: nil value of $XMODIFIERS: nil locale-coding-system: japanese-iso-8bit-unix default-enable-multibyte-characters: t Major mode: Group Minor modes in effect: gnus-topic-mode: t gnus-undo-mode: t auto-insert-mode: t iswitchb-mode: t tooltip-mode: t tool-bar-mode: t mouse-wheel-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t global-auto-composition-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Recent input: ESC x r e p o r Recent messages: nnml: Reading incoming mail (3 new)...done Reading active file via nnml...done Generating the cache active file...done No new newsgroups Checking new news...done --=-=-=-- From unknown Sun Jun 15 08:54:56 2025 X-Loop: owner@emacsbugs.donarmstrong.com Subject: bug#2370: 23.0.90; decode-coding-region make emacs crash Reply-To: Chong Yidong , 2370@debbugs.gnu.org Resent-From: Chong Yidong Resent-To: bug-submit-list@lists.donarmstrong.com Resent-CC: Emacs Bugs Resent-Date: Thu, 19 Feb 2009 00:25:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-Emacs-PR-Message: followup 2370 X-Emacs-PR-Package: emacs X-Emacs-PR-Keywords: Received: via spool by 2370-submit@emacsbugs.donarmstrong.com id=B2370.123500262812691 (code B ref 2370); Thu, 19 Feb 2009 00:25:08 +0000 Received: (at 2370) by emacsbugs.donarmstrong.com; 19 Feb 2009 00:17:08 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Received: from cyd.mit.edu (CYD.MIT.EDU [18.115.2.24]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id n1J0H2cE012685 for <2370@emacsbugs.donarmstrong.com>; Wed, 18 Feb 2009 16:17:03 -0800 Received: by cyd.mit.edu (Postfix, from userid 1000) id 6D52257E1D7; Wed, 18 Feb 2009 19:17:56 -0500 (EST) From: Chong Yidong To: Kenichi Handa Cc: Hiroshi Fujishima , 2370@debbugs.gnu.org Date: Wed, 18 Feb 2009 19:17:56 -0500 Message-ID: <87zlgjwa8b.fsf@cyd.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi Handa-san, Please take a look at this bug: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=2370 The crash occurs because of memory corruption due to overwriting the carrover buffer at line 6809 of coding.c. For the sample provided by the OP, (coding->src_bytes - coding->consumed) == 99. This looks like a bug in decode_coding_iso_2022. From unknown Sun Jun 15 08:54:56 2025 X-Loop: owner@emacsbugs.donarmstrong.com Subject: bug#2370: 23.0.90; decode-coding-region make emacs crash Reply-To: Kenichi Handa , 2370@debbugs.gnu.org Resent-From: Kenichi Handa Resent-To: bug-submit-list@lists.donarmstrong.com Resent-CC: Emacs Bugs Resent-Date: Thu, 19 Feb 2009 02:50:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-Emacs-PR-Message: followup 2370 X-Emacs-PR-Package: emacs X-Emacs-PR-Keywords: Received: via spool by 2370-submit@emacsbugs.donarmstrong.com id=B2370.123501159923884 (code B ref 2370); Thu, 19 Feb 2009 02:50:03 +0000 Received: (at 2370) by emacsbugs.donarmstrong.com; 19 Feb 2009 02:46:39 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id n1J2kZnr023878 for <2370@emacsbugs.donarmstrong.com>; Wed, 18 Feb 2009 18:46:37 -0800 Received: from rqsmtp2.aist.go.jp (rqsmtp2.aist.go.jp [150.29.254.123]) by mx1.aist.go.jp with ESMTP id n1J2kYnC016638; Thu, 19 Feb 2009 11:46:34 +0900 (JST) env-from (handa@m17n.org) Received: from smtp4.aist.go.jp by rqsmtp2.aist.go.jp with ESMTP id n1J2kX9N007016; Thu, 19 Feb 2009 11:46:33 +0900 (JST) env-from (handa@m17n.org) Received: by smtp4.aist.go.jp with ESMTP id n1J2kXIR007468; Thu, 19 Feb 2009 11:46:33 +0900 (JST) env-from (handa@m17n.org) Received: from handa by etlken with local (Exim 4.69) (envelope-from ) id 1LZyw7-0005jG-4O; Thu, 19 Feb 2009 11:46:51 +0900 From: Kenichi Handa To: Chong Yidong CC: h-fujishima@sakura.ad.jp, 2370@debbugs.gnu.org In-reply-to: <87zlgjwa8b.fsf@cyd.mit.edu> (message from Chong Yidong on Wed, 18 Feb 2009 19:17:56 -0500) References: <87zlgjwa8b.fsf@cyd.mit.edu> Message-Id: Date: Thu, 19 Feb 2009 11:46:51 +0900 In article <87zlgjwa8b.fsf@cyd.mit.edu>, Chong Yidong writes: > Hi Handa-san, > Please take a look at this bug: > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=2370 > The crash occurs because of memory corruption due to overwriting the > carrover buffer at line 6809 of coding.c. For the sample provided by > the OP, (coding->src_bytes - coding->consumed) == 99. This looks like a > bug in decode_coding_iso_2022. I found two bugs related to this problem, and just installed a fix for one of them. Now the above specific problem should be fixed. I'll keep on workning to fix the other bug to make the decoding more robust. --- Kenichi Handa handa@m17n.org From unknown Sun Jun 15 08:54:56 2025 X-Loop: owner@emacsbugs.donarmstrong.com Subject: bug#2370: 23.0.90; decode-coding-region make emacs crash Reply-To: Chong Yidong , 2370@debbugs.gnu.org Resent-From: Chong Yidong Resent-To: bug-submit-list@lists.donarmstrong.com Resent-CC: Emacs Bugs Resent-Date: Thu, 19 Feb 2009 03:10:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-Emacs-PR-Message: followup 2370 X-Emacs-PR-Package: emacs X-Emacs-PR-Keywords: Received: via spool by 2370-submit@emacsbugs.donarmstrong.com id=B2370.123501274629900 (code B ref 2370); Thu, 19 Feb 2009 03:10:03 +0000 Received: (at 2370) by emacsbugs.donarmstrong.com; 19 Feb 2009 03:05:46 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Received: from cyd.mit.edu (CYD.MIT.EDU [18.115.2.24]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id n1J35e8C029883 for <2370@emacsbugs.donarmstrong.com>; Wed, 18 Feb 2009 19:05:41 -0800 Received: by cyd.mit.edu (Postfix, from userid 1000) id 843FA57E1D7; Wed, 18 Feb 2009 22:06:34 -0500 (EST) From: Chong Yidong To: Kenichi Handa Cc: h-fujishima@sakura.ad.jp, 2370@debbugs.gnu.org References: <87zlgjwa8b.fsf@cyd.mit.edu> Date: Wed, 18 Feb 2009 22:06:34 -0500 In-Reply-To: (Kenichi Handa's message of "Thu, 19 Feb 2009 11:46:51 +0900") Message-ID: <87d4dfqg5h.fsf@cyd.mit.edu> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Kenichi Handa writes: > I found two bugs related to this problem, and just installed > a fix for one of them. Now the above specific problem > should be fixed. I'll keep on workning to fix the other bug > to make the decoding more robust. Thanks. I think decode_coding should also verify the size of the unprocessed bytes before writing them to coding->carrover. This way, future bugs of this sort will not cause memory corruption (which might be a security concern). What's your opinion? From unknown Sun Jun 15 08:54:56 2025 X-Loop: owner@emacsbugs.donarmstrong.com Subject: bug#2370: 23.0.90; decode-coding-region make emacs crash Reply-To: Kenichi Handa , 2370@debbugs.gnu.org Resent-From: Kenichi Handa Resent-To: bug-submit-list@lists.donarmstrong.com Resent-CC: Emacs Bugs Resent-Date: Thu, 19 Feb 2009 04:00:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-Emacs-PR-Message: followup 2370 X-Emacs-PR-Package: emacs X-Emacs-PR-Keywords: Received: via spool by 2370-submit@emacsbugs.donarmstrong.com id=B2370.123501579011259 (code B ref 2370); Thu, 19 Feb 2009 04:00:04 +0000 Received: (at 2370) by emacsbugs.donarmstrong.com; 19 Feb 2009 03:56:30 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: * X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=1.0 required=4.0 tests=IMPRONONCABLE_2 autolearn=no version=3.2.5-bugs.debian.org_2005_01_02 Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id n1J3uP7v011248 for <2370@emacsbugs.donarmstrong.com>; Wed, 18 Feb 2009 19:56:27 -0800 Received: from rqsmtp2.aist.go.jp (rqsmtp2.aist.go.jp [150.29.254.123]) by mx1.aist.go.jp with ESMTP id n1J3uODh020671; Thu, 19 Feb 2009 12:56:24 +0900 (JST) env-from (handa@m17n.org) Received: from smtp2.aist.go.jp by rqsmtp2.aist.go.jp with ESMTP id n1J3uOSE019758; Thu, 19 Feb 2009 12:56:24 +0900 (JST) env-from (handa@m17n.org) Received: by smtp2.aist.go.jp with ESMTP id n1J3uOn4027750; Thu, 19 Feb 2009 12:56:24 +0900 (JST) env-from (handa@m17n.org) Received: from handa by etlken with local (Exim 4.69) (envelope-from ) id 1La01i-0005wg-DP; Thu, 19 Feb 2009 12:56:42 +0900 From: Kenichi Handa To: Chong Yidong CC: h-fujishima@sakura.ad.jp, 2370@debbugs.gnu.org In-reply-to: <87d4dfqg5h.fsf@cyd.mit.edu> (message from Chong Yidong on Wed, 18 Feb 2009 22:06:34 -0500) References: <87zlgjwa8b.fsf@cyd.mit.edu> <87d4dfqg5h.fsf@cyd.mit.edu> Message-Id: Date: Thu, 19 Feb 2009 12:56:42 +0900 In article <87d4dfqg5h.fsf@cyd.mit.edu>, Chong Yidong writes: > Kenichi Handa writes: > > I found two bugs related to this problem, and just installed > > a fix for one of them. Now the above specific problem > > should be fixed. I'll keep on workning to fix the other bug > > to make the decoding more robust. > Thanks. I think decode_coding should also verify the size of the > unprocessed bytes before writing them to coding->carrover. This way, > future bugs of this sort will not cause memory corruption (which might > be a security concern). What's your opinion? Yes. I'm going to add such a check. But it doesn't solve the underlying problem of handling too long (and wrong) composition sequence in iso-2022 decoding. Solving it requires a little bit more time. --- Kenichi Handa handa@m17n.org From unknown Sun Jun 15 08:54:56 2025 X-Loop: owner@emacsbugs.donarmstrong.com Subject: bug#2370: 23.0.90; decode-coding-region make emacs crash Reply-To: Eli Zaretskii , 2370@debbugs.gnu.org Resent-From: Eli Zaretskii Resent-To: bug-submit-list@lists.donarmstrong.com Resent-CC: Emacs Bugs Resent-Date: Thu, 19 Feb 2009 04:20:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-Emacs-PR-Message: followup 2370 X-Emacs-PR-Package: emacs X-Emacs-PR-Keywords: Received: via spool by 2370-submit@emacsbugs.donarmstrong.com id=B2370.123501695817646 (code B ref 2370); Thu, 19 Feb 2009 04:20:04 +0000 Received: (at 2370) by emacsbugs.donarmstrong.com; 19 Feb 2009 04:15:58 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=-3.0 required=4.0 tests=HAS_BUG_NUMBER autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Received: from mtaout7.012.net.il (mtaout7.012.net.il [84.95.2.19]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id n1J4Fsoh017633 for <2370@emacsbugs.donarmstrong.com>; Wed, 18 Feb 2009 20:15:56 -0800 Received: from conversion-daemon.i-mtaout7.012.net.il by i-mtaout7.012.net.il (HyperSendmail v2007.08) id <0KFA00L00P11PZ00@i-mtaout7.012.net.il> for 2370@emacsbugs.donarmstrong.com; Thu, 19 Feb 2009 06:14:59 +0200 (IST) Received: from HOME-C4E4A596F7 ([84.228.82.14]) by i-mtaout7.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0KFA00B2IP4YSM30@i-mtaout7.012.net.il>; Thu, 19 Feb 2009 06:14:59 +0200 (IST) Date: Thu, 19 Feb 2009 06:14:54 +0200 From: Eli Zaretskii In-reply-to: X-012-Sender: halo1@inter.net.il To: Kenichi Handa , 2370@debbugs.gnu.org Cc: emacs-devel@gnu.org Message-id: References: <87zlgjwa8b.fsf@cyd.mit.edu> > From: Kenichi Handa > Date: Thu, 19 Feb 2009 11:46:51 +0900 > Cc: h-fujishima@sakura.ad.jp, 2370@emacsbugs.donarmstrong.com > > I found two bugs related to this problem, and just installed > a fix for one of them. Now the above specific problem > should be fixed. Thanks. Please be sure to mention the bug report number in the ChangeLog entry for the change that fixes the bug. From cyd@stupidchicken.com Fri Mar 6 20:00:20 2009 Received: (at control) by emacsbugs.donarmstrong.com; 7 Mar 2009 04:00:21 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Received: from cyd.mit.edu (CYD.MIT.EDU [18.115.2.24]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id n2740ImX020164 for ; Fri, 6 Mar 2009 20:00:19 -0800 Received: by cyd.mit.edu (Postfix, from userid 1000) id C4C7E57E1D7; Fri, 6 Mar 2009 23:01:28 -0500 (EST) From: Chong Yidong To: control@debbugs.gnu.org Subject: close 2370 Date: Fri, 06 Mar 2009 23:01:28 -0500 Message-ID: <87bpsenfqf.fsf@cyd.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii close 2370 thanks