GNU bug report logs - #24064
24.5; NULL pointer dereference in compute_motion(), indent.c

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Sergei Litvin <litvindev <at> gmail.com>
Subject: bug#24064: closed (Re: bug#24064: 24.5; NULL pointer dereference
 in compute_motion(), indent.c)
Date: Tue, 26 Jul 2016 15:36:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#24064: 24.5; NULL pointer dereference in compute_motion(), indent.c

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 24064 <at> debbugs.gnu.org.

-- 
24064: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24064
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Eli Zaretskii <eliz <at> gnu.org>
To: Clément Pit--Claudel <clement.pit <at> gmail.com>
Cc: 24064-done <at> debbugs.gnu.org, npostavs <at> users.sourceforge.net
Subject: Re: bug#24064: 24.5;
 NULL pointer dereference in compute_motion(), indent.c
Date: Tue, 26 Jul 2016 18:35:07 +0300

> From: Clément Pit--Claudel <clement.pit <at> gmail.com>
> Date: Mon, 25 Jul 2016 22:49:35 -0400
> Cc: 24064 <at> debbugs.gnu.org
> 
> >>> I've prepared an elisp file to reproduce a crash:
> >>>
> >>> 1) Open it and move cursor to the end of the file
> >>> 2) Execute eval-buffer
> >>> 3) Press C-l several times
> >>
> >> Running this recipe does not cause a crash for me in GNU Emacs 25.1.50.7 (x86_64-pc-linux-gnu, GTK+ Version 3.18.9) of 2016-07-20.  Am I missing something?
> > 
> > It crashes for me on 24.5, but not on 25.0.95.  Perhaps it was fixed?
> 
> Indeed, same here. Crashes on 24.5, but not 25.

C-l (a.k.a. "recenter") no longer calls compute_motion in Emacs 25, so
to trigger the segfault, the recipe should be changed like this:

 1) Open it and move cursor to the end of the file
 2) Execute eval-buffer
 3) Type "M-x set-variable RET scroll-preserve-screen-position RET t RET"
 4) Type "C-u 1 C-v"

In addition, the above should be done on a TTY frame.

This 22-year old bug is now fixed on the master branch.

Thanks.

[Message part 3 (message/rfc822, inline)]

From: Sergei Litvin <litvindev <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.5; NULL pointer dereference in compute_motion(), indent.c
Date: Mon, 25 Jul 2016 02:51:40 +0300

[Message part 4 (text/plain, inline)]

Package: emacs

Version: 24.5

struct position *
compute_motion (ptrdiff_t from, ptrdiff_t frombyte, EMACS_INT fromvpos,
        EMACS_INT fromhpos, bool did_motion, ptrdiff_t to,
        EMACS_INT tovpos, EMACS_INT tohpos, EMACS_INT width,
        ptrdiff_t hscroll, int tab_offset, struct window *win)
{

...

  if (dp == buffer_display_table ())
    width_table = (VECTORP (BVAR (current_buffer, width_table))
                   ? XVECTOR (BVAR (current_buffer, width_table))->contents
                   : 0);
  else
    /* If the window has its own display table, we can't use the width
       run cache, because that's based on the buffer's display table.  */
    width_table = 0; // initialize it with 0 (current buffer has no 
display table)

...

      if (width_cache)
        {
          /* Is this character part of the current run?  If so, extend
         the run.  */
          if (pos - 1 == width_run_end
          && XFASTINT (width_table[c]) == width_run_width) // 
dereference width_table here, and crash
        width_run_end = pos;
...


Sergei Litvin

[Message part 5 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.