GNU bug report logs - #24064
24.5; NULL pointer dereference in compute_motion(), indent.c

Previous Next

Full log

View this message in rfc822 format

From: Sergei Litvin <litvindev <at> gmail.com>
To: 24064 <at> debbugs.gnu.org
Subject: bug#24064: 24.5; NULL pointer dereference in compute_motion(), indent.c
Date: Tue, 26 Jul 2016 01:02:27 +0300

[Message part 1 (text/plain, inline)]

I've prepared an elisp file to reproduce a crash:

1) Open it and move cursor to the end of the file

2) Execute eval-buffer

3) Press C-l several times


Sergei Litvin


On 07/25/2016 07:24 PM, Eli Zaretskii wrote:
>> From: Sergei Litvin <litvindev <at> gmail.com>
>> Date: Mon, 25 Jul 2016 02:51:40 +0300
>>
>>
>> struct position *
>> compute_motion (ptrdiff_t from, ptrdiff_t frombyte, EMACS_INT fromvpos,
>> EMACS_INT fromhpos, bool did_motion, ptrdiff_t to,
>> EMACS_INT tovpos, EMACS_INT tohpos, EMACS_INT width,
>> ptrdiff_t hscroll, int tab_offset, struct window *win)
>> {
>>
>> ...
>>
>> if (dp == buffer_display_table ())
>> width_table = (VECTORP (BVAR (current_buffer, width_table))
>> ? XVECTOR (BVAR (current_buffer, width_table))->contents
>> : 0);
>> else
>> /* If the window has its own display table, we can't use the width
>> run cache, because that's based on the buffer's display table. */
>> width_table = 0; // initialize it with 0 (current buffer has no display table)
>>
>> ...
>>
>> if (width_cache)
>> {
>> /* Is this character part of the current run? If so, extend
>> the run. */
>> if (pos - 1 == width_run_end
>> && XFASTINT (width_table[c]) == width_run_width) // dereference width_table here, and crash
>> width_run_end = pos;
> Did you actually see such a crash, and if so, can you show a recipe
> for reproducing that?
>
> Thanks.

[emacs-crash.el (text/x-emacs-lisp, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.