GNU bug report logs - #24118
25.1; [PATCH] Fix a possible crash caused by mapcar1

Previous Next

Package: emacs;

Reported by: Chris Feng <chris.w.feng <at> gmail.com>

Date: Sun, 31 Jul 2016 12:48:01 UTC

Severity: normal

Tags: patch

Found in version 25.1

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 24118 in the body.
You can then email your comments to 24118 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#24118; Package emacs. (Sun, 31 Jul 2016 12:48:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Chris Feng <chris.w.feng <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Sun, 31 Jul 2016 12:48:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Chris Feng <chris.w.feng <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 25.1; [PATCH] Fix a possible crash caused by mapcar1
Date: Sun, 31 Jul 2016 20:46:50 +0800

Processing a list with `mapcar' or `mapconcat' can be terminated early
when the list is tampered (as shown in the following example), and as a
result we'll be dealing with uninitialized memory which will likely
trigger a crash.

  (setq a (make-list 10 0))
  (mapcar (lambda (_)
            (setcdr a nil))
          a)

Chris

---

* src/fns.c (mapcar1): Check and reset uninitialized list elements.
---
 src/fns.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/fns.c b/src/fns.c
index d5a1f74..1804bce 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -2524,6 +2524,10 @@ mapcar1 (EMACS_INT leni, Lisp_Object *vals, Lisp_Object fn, Lisp_Object seq)
 	    vals[i] = dummy;
 	  tail = XCDR (tail);
 	}
+
+      /* In case the list was tampered and the loop terminated early. */
+      if (i < leni)
+        memclear (vals + i, (leni - i) * word_size);
     }
 }
 
-- 
2.8.1
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#24118; Package emacs. (Sun, 31 Jul 2016 13:19:02 GMT) Full text and rfc822 format available.

Message #8 received at 24118 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Schwab <schwab <at> linux-m68k.org>
To: Chris Feng <chris.w.feng <at> gmail.com>
Cc: 24118 <at> debbugs.gnu.org
Subject: Re: bug#24118: 25.1; [PATCH] Fix a possible crash caused by mapcar1
Date: Sun, 31 Jul 2016 15:18:09 +0200

Chris Feng <chris.w.feng <at> gmail.com> writes:

> diff --git a/src/fns.c b/src/fns.c
> index d5a1f74..1804bce 100644
> --- a/src/fns.c
> +++ b/src/fns.c
> @@ -2524,6 +2524,10 @@ mapcar1 (EMACS_INT leni, Lisp_Object *vals, Lisp_Object fn, Lisp_Object seq)
>  	    vals[i] = dummy;
>  	  tail = XCDR (tail);
>  	}
> +
> +      /* In case the list was tampered and the loop terminated early. */
> +      if (i < leni)
> +        memclear (vals + i, (leni - i) * word_size);

That should not depend on the representation of Qnil.

Andreas.

-- 
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#24118; Package emacs. (Sun, 31 Jul 2016 13:34:02 GMT) Full text and rfc822 format available.

Message #11 received at 24118 <at> debbugs.gnu.org (full text, mbox):

From: Chris Feng <chris.w.feng <at> gmail.com>
To: Andreas Schwab <schwab <at> linux-m68k.org>
Cc: 24118 <at> debbugs.gnu.org
Subject: Re: bug#24118: 25.1; [PATCH] Fix a possible crash caused by mapcar1
Date: Sun, 31 Jul 2016 21:33:25 +0800

Andreas Schwab <schwab <at> linux-m68k.org> writes:

> That should not depend on the representation of Qnil.

I think the result is undefined.  I set it to Qnil because it was before
60d1b18.

Chris
Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Wed, 03 Aug 2016 01:17:02 GMT) Full text and rfc822 format available.
Notification sent to Chris Feng <chris.w.feng <at> gmail.com>:
bug acknowledged by developer. (Wed, 03 Aug 2016 01:17:02 GMT) Full text and rfc822 format available.

Message #16 received at 24118-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Chris Feng <chris.w.feng <at> gmail.com>
Cc: Andreas Schwab <schwab <at> linux-m68k.org>, 24118-done <at> debbugs.gnu.org
Subject: Re: 25.1; [PATCH] Fix a possible crash caused by mapcar1
Date: Tue, 2 Aug 2016 18:15:53 -0700

[Message part 1 (text/plain, inline)]
Thanks for the bug report. I installed the attached more-adventurous patch, 
which truncates the result rather than extending it with nils. This seems a bit 
more appropriate anyway.

Although it no longer matters for this patch, memclear is specified to store nil 
values regardless of how nil is represented. Of course memclear's current 
implementation assumes Qnil is zero, and memclear can't be portably and easily 
implemented if we merely change Qnil to be nonzero, but that's a bridge we don't 
have to cross unless we change Qnil to be nonzero.

[0001-Fix-mapcar-F-S-crash-when-F-alters-S-s-length.txt (text/plain, attachment)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 31 Aug 2016 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 8 years and 289 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.