From unknown Sun Jun 22 07:48:38 2025 X-Loop: help-debbugs@gnu.org Subject: bug#24118: 25.1; [PATCH] Fix a possible crash caused by mapcar1 Resent-From: Chris Feng Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 31 Jul 2016 12:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 24118 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: 24118@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.146996923431378 (code B ref -1); Sun, 31 Jul 2016 12:48:01 +0000 Received: (at submit) by debbugs.gnu.org; 31 Jul 2016 12:47:14 +0000 Received: from localhost ([127.0.0.1]:51985 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bTq9C-0008A2-Lp for submit@debbugs.gnu.org; Sun, 31 Jul 2016 08:47:14 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54194) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bTq9B-00089q-QN for submit@debbugs.gnu.org; Sun, 31 Jul 2016 08:47:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bTq95-0004vq-SN for submit@debbugs.gnu.org; Sun, 31 Jul 2016 08:47:08 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:41682) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bTq95-0004vl-PZ for submit@debbugs.gnu.org; Sun, 31 Jul 2016 08:47:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45158) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bTq93-0003rk-MS for bug-gnu-emacs@gnu.org; Sun, 31 Jul 2016 08:47:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bTq8z-0004vQ-Il for bug-gnu-emacs@gnu.org; Sun, 31 Jul 2016 08:47:04 -0400 Received: from mail-pf0-x244.google.com ([2607:f8b0:400e:c00::244]:34494) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bTq8z-0004vM-As for bug-gnu-emacs@gnu.org; Sun, 31 Jul 2016 08:47:01 -0400 Received: by mail-pf0-x244.google.com with SMTP id g202so8487920pfb.1 for ; Sun, 31 Jul 2016 05:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:mime-version; bh=VoT5n+v2IaCscqcyeLkCCz82mxoTD/vnSNiJaCg1eIM=; b=arRndn4tXJjijKuwcT26g61mW0tmq96TGhKZE8VzEO2Ht72wkH8UVO83TPxjKb5f1N t18qMPSu7XO4Z2uEn5FLCQHDf1lGd/SRtvQnEHORcY21sIct+uRLuQm6X5bQ7jslBfbl 0m5aEx9eGtih3lRJ+4sf5M5GIexWDPm8P8x4Ka5QkZRW2QCm23zOzka+1tb9qJVOhneO 5EBzwy1iW4Goat/4FZBjZvyd0s/SvKT6hAH3aAIlTxkIjoUEsPjNIavHKNr1shMSQ/NR sIIsh4OIQqeh+nJk8UbSokuo/3fm/370KGkvCQb6XMbyQi7zRDgGXM9QG6AWV6d+h4IZ 8cLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=VoT5n+v2IaCscqcyeLkCCz82mxoTD/vnSNiJaCg1eIM=; b=WrTUgsfhS0Mi33UMfCG56/kXf5MrQ9o5Lp/4DVueh4v9z2HIfEOcsOxGOzH1LCJqkk 014ilZ6TrWFRpBepcvOrWIMbGVDpjGD9DvQEg62GT6P/xpYddqkC/xhESjL1YhHCuqa1 oM68ecSvOv1BUtHtjSvcCOkY6Sw/U8HIgNwbeir+++Lic6VUJI9GqsSuLcyjthj6k4Q3 4WgT5bYh+ypsobexOuPJfw34zQUxceQTgQXrmHh4GBwcGjtzdQhkjbMZZHWe2tBmUd52 N7lfsvXrGif6Lcr1e4WwSou5THVMiY2Exogr3ZmYethYFSO/6/9VtoK+xmXsUTExx9sz 01qw== X-Gm-Message-State: AEkoousEv0j+PoAAmlNBZoY2f6s7M4SqHt3L7wV/rsffrZVGFlZmp6hXKAz3EKy6ZoQSsA== X-Received: by 10.98.155.17 with SMTP id r17mr86302496pfd.24.1469969219708; Sun, 31 Jul 2016 05:46:59 -0700 (PDT) Received: from tpx ([209.141.62.125]) by smtp.gmail.com with ESMTPSA id wp4sm38213646pab.15.2016.07.31.05.46.57 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 31 Jul 2016 05:46:58 -0700 (PDT) From: Chris Feng Date: Sun, 31 Jul 2016 20:46:50 +0800 Message-ID: <86fuqq2cw5.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Processing a list with `mapcar' or `mapconcat' can be terminated early when the list is tampered (as shown in the following example), and as a result we'll be dealing with uninitialized memory which will likely trigger a crash. (setq a (make-list 10 0)) (mapcar (lambda (_) (setcdr a nil)) a) Chris --- * src/fns.c (mapcar1): Check and reset uninitialized list elements. --- src/fns.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/fns.c b/src/fns.c index d5a1f74..1804bce 100644 --- a/src/fns.c +++ b/src/fns.c @@ -2524,6 +2524,10 @@ mapcar1 (EMACS_INT leni, Lisp_Object *vals, Lisp_Object fn, Lisp_Object seq) vals[i] = dummy; tail = XCDR (tail); } + + /* In case the list was tampered and the loop terminated early. */ + if (i < leni) + memclear (vals + i, (leni - i) * word_size); } } -- 2.8.1 From unknown Sun Jun 22 07:48:38 2025 X-Loop: help-debbugs@gnu.org Subject: bug#24118: 25.1; [PATCH] Fix a possible crash caused by mapcar1 Resent-From: Andreas Schwab Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 31 Jul 2016 13:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 24118 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: Chris Feng Cc: 24118@debbugs.gnu.org Received: via spool by 24118-submit@debbugs.gnu.org id=B24118.14699710931734 (code B ref 24118); Sun, 31 Jul 2016 13:19:02 +0000 Received: (at 24118) by debbugs.gnu.org; 31 Jul 2016 13:18:13 +0000 Received: from localhost ([127.0.0.1]:52002 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bTqdB-0000Rt-EI for submit@debbugs.gnu.org; Sun, 31 Jul 2016 09:18:13 -0400 Received: from mail-out.m-online.net ([212.18.0.9]:37757) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bTqd9-0000Rk-Hw for 24118@debbugs.gnu.org; Sun, 31 Jul 2016 09:18:12 -0400 Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 3s2NLp3zMVz3hjJn; Sun, 31 Jul 2016 15:18:10 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.68]) by mail.m-online.net (Postfix) with ESMTP id 3s2NLp2H7Lzvkq7; Sun, 31 Jul 2016 15:18:10 +0200 (CEST) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavisd-new, port 10024) with ESMTP id AtRIxMMcQs_P; Sun, 31 Jul 2016 15:18:09 +0200 (CEST) X-Auth-Info: WJH677wRXwe7G3D4/loIVDctm67QOFst6r/oIzSI0IcVk60LTzAq6XiGgHFgFpTj Received: from igel.home (ppp-88-217-24-60.dynamic.mnet-online.de [88.217.24.60]) by mail.mnet-online.de (Postfix) with ESMTPA; Sun, 31 Jul 2016 15:18:09 +0200 (CEST) Received: by igel.home (Postfix, from userid 1000) id 450DF2C255D; Sun, 31 Jul 2016 15:18:09 +0200 (CEST) From: Andreas Schwab References: <86fuqq2cw5.fsf@gmail.com> X-Yow: This is PLEASANT! Date: Sun, 31 Jul 2016 15:18:09 +0200 In-Reply-To: <86fuqq2cw5.fsf@gmail.com> (Chris Feng's message of "Sun, 31 Jul 2016 20:46:50 +0800") Message-ID: <87vazmj69a.fsf@linux-m68k.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Chris Feng writes: > diff --git a/src/fns.c b/src/fns.c > index d5a1f74..1804bce 100644 > --- a/src/fns.c > +++ b/src/fns.c > @@ -2524,6 +2524,10 @@ mapcar1 (EMACS_INT leni, Lisp_Object *vals, Lisp_Object fn, Lisp_Object seq) > vals[i] = dummy; > tail = XCDR (tail); > } > + > + /* In case the list was tampered and the loop terminated early. */ > + if (i < leni) > + memclear (vals + i, (leni - i) * word_size); That should not depend on the representation of Qnil. Andreas. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different." From unknown Sun Jun 22 07:48:38 2025 X-Loop: help-debbugs@gnu.org Subject: bug#24118: 25.1; [PATCH] Fix a possible crash caused by mapcar1 Resent-From: Chris Feng Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 31 Jul 2016 13:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 24118 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: Andreas Schwab Cc: 24118@debbugs.gnu.org Received: via spool by 24118-submit@debbugs.gnu.org id=B24118.14699720173167 (code B ref 24118); Sun, 31 Jul 2016 13:34:02 +0000 Received: (at 24118) by debbugs.gnu.org; 31 Jul 2016 13:33:37 +0000 Received: from localhost ([127.0.0.1]:52011 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bTqs5-0000p1-4O for submit@debbugs.gnu.org; Sun, 31 Jul 2016 09:33:37 -0400 Received: from mail-pf0-f171.google.com ([209.85.192.171]:33721) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bTqs3-0000oo-Ei for 24118@debbugs.gnu.org; Sun, 31 Jul 2016 09:33:35 -0400 Received: by mail-pf0-f171.google.com with SMTP id y134so46549467pfg.0 for <24118@debbugs.gnu.org>; Sun, 31 Jul 2016 06:33:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=nXUw0eL0vuhudLNW6klJI/J3Q892L9NMUPwVtVSMawE=; b=oqBE0kmTJEr49YUN35izvkCBdwHD1q9FlbJvoXbOg9I0fY4BU4K7k4V/wT+mCxXNpt 7yOt/swAMdDsT0Dp5oenDBO1ZVPY5Eg9d1ZzQ1s+giqYGQ7EtRVsjO3W9estzJ9xALZx C1INLhN4j8z8x09bBMFRhgUWwsC1pMc8Caa5RFpYmuTWcW2cHsD2oiILgxA75seo7Fyx E02LOhDBQk1AprQV6EZbZHNPqz8xdkMEduTrsr637WkiSJoEAvhf8eJ6rhkse/FiJ2Un 481xGo3VmktNDEDyRxJK3NCHYFL8JxSDhjCevmiQwWcNIO8jlVo5E8KpKPJL940MDt7L PBXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=nXUw0eL0vuhudLNW6klJI/J3Q892L9NMUPwVtVSMawE=; b=aBxwjznFHTLsT9YLWa68Y/ouSGITwzdhnBh2k0wWnKyLzT0O4bXsy1bFq6X8iCbm8G lClK/SrsiuRoXRJVJnN5EAZyLWHIJbyUGqalcJvnHqIHZ0ng1USA5VtTrwTh7DUNcMCH QiXCjYrljolEBefn2a9fyFV5tyk07uFa49fh5Uq4xwTREy6a/GHENAjqV8A1ilk+l4P6 23GTuqHka/yuQiTDnb7pPdKwzLW09TRw9lWV3iovnpilqJBJvX4aGldiaE5Ozuq/eBKU V+ICI4kUfc44eQnxxjEsZUR9vzt7CguGhzc71JulC/nQnJy99cEiljoaeH3jFeFfloKc Ax6w== X-Gm-Message-State: AEkoout91jj9He9vpjd+pqbKqWy+fI9xwMuwZskpcBiasD4Jd3sPYhw/fjZ3tJhOSmh/EA== X-Received: by 10.98.69.201 with SMTP id n70mr87903447pfi.64.1469972009755; Sun, 31 Jul 2016 06:33:29 -0700 (PDT) Received: from tpx ([209.141.62.125]) by smtp.gmail.com with ESMTPSA id tr1sm21261345pab.19.2016.07.31.06.33.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 31 Jul 2016 06:33:28 -0700 (PDT) From: Chris Feng References: <86fuqq2cw5.fsf@gmail.com> <87vazmj69a.fsf@linux-m68k.org> Date: Sun, 31 Jul 2016 21:33:25 +0800 In-Reply-To: <87vazmj69a.fsf@linux-m68k.org> (Andreas Schwab's message of "Sun, 31 Jul 2016 15:18:09 +0200") Message-ID: <86h9b6j5ju.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Andreas Schwab writes: > That should not depend on the representation of Qnil. I think the result is undefined. I set it to Qnil because it was before 60d1b18. Chris From unknown Sun Jun 22 07:48:38 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Chris Feng Subject: bug#24118: closed (Re: 25.1; [PATCH] Fix a possible crash caused by mapcar1) Message-ID: References: <8ad02288-7280-31c3-1a74-12a677107ca9@cs.ucla.edu> <86fuqq2cw5.fsf@gmail.com> X-Gnu-PR-Message: they-closed 24118 X-Gnu-PR-Package: emacs X-Gnu-PR-Keywords: patch Reply-To: 24118@debbugs.gnu.org Date: Wed, 03 Aug 2016 01:17:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1470187022-23232-1" This is a multi-part message in MIME format... ------------=_1470187022-23232-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #24118: 25.1; [PATCH] Fix a possible crash caused by mapcar1 which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 24118@debbugs.gnu.org. --=20 24118: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D24118 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1470187022-23232-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 24118-done) by debbugs.gnu.org; 3 Aug 2016 01:16:03 +0000 Received: from localhost ([127.0.0.1]:53954 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bUkmx-00061R-F7 for submit@debbugs.gnu.org; Tue, 02 Aug 2016 21:16:03 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:40278) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bUkmu-00060h-Tg for 24118-done@debbugs.gnu.org; Tue, 02 Aug 2016 21:16:01 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 10DC0161196; Tue, 2 Aug 2016 18:15:55 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id zXZ0lj8E4EmM; Tue, 2 Aug 2016 18:15:54 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 10105161220; Tue, 2 Aug 2016 18:15:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id t3UMtmUHaMmO; Tue, 2 Aug 2016 18:15:53 -0700 (PDT) Received: from [192.168.1.9] (unknown [100.32.155.148]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id E1C77161196; Tue, 2 Aug 2016 18:15:53 -0700 (PDT) To: Chris Feng From: Paul Eggert Subject: Re: 25.1; [PATCH] Fix a possible crash caused by mapcar1 Organization: UCLA Computer Science Department Message-ID: <8ad02288-7280-31c3-1a74-12a677107ca9@cs.ucla.edu> Date: Tue, 2 Aug 2016 18:15:53 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------31AB2BD2E5BED9724559CC08" X-Spam-Score: -1.2 (-) X-Debbugs-Envelope-To: 24118-done Cc: Andreas Schwab , 24118-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.2 (-) This is a multi-part message in MIME format. --------------31AB2BD2E5BED9724559CC08 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Thanks for the bug report. I installed the attached more-adventurous patc= h,=20 which truncates the result rather than extending it with nils. This seems= a bit=20 more appropriate anyway. Although it no longer matters for this patch, memclear is specified to st= ore nil=20 values regardless of how nil is represented. Of course memclear's current= =20 implementation assumes Qnil is zero, and memclear can't be portably and e= asily=20 implemented if we merely change Qnil to be nonzero, but that's a bridge w= e don't=20 have to cross unless we change Qnil to be nonzero. --------------31AB2BD2E5BED9724559CC08 Content-Type: text/plain; charset=UTF-8; name="0001-Fix-mapcar-F-S-crash-when-F-alters-S-s-length.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="0001-Fix-mapcar-F-S-crash-when-F-alters-S-s-length.txt" RnJvbSBhZTc3YzA3YjM5OWExOTRiZGI3MDk1ODIzNTk1MDg2ZjgzODVmMmE0IE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBUdWUsIDIgQXVnIDIwMTYgMjE6MDQ6MjggLTA0MDAKU3ViamVjdDogW1BBVENI XSA9P1VURi04P3E/Rml4PTIwKG1hcGNhcj0yMEY9MjBTKT0yMGNyYXNoPTIwd2hlbj0yMEY9 MjBhbHQ/PQogPT9VVEYtOD9xP2Vycz0yMFM9RTI9ODA9OTlzPTIwbGVuZ3RoPz0KTUlNRS1W ZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PVVURi04CkNv bnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKCiogc3JjL2Zucy5jIChtYXBjYXIxKTog UmV0dXJuIG51bWJlciBvZiBlbGVtZW50cyBjb21wdXRlZCwKd2hpY2ggY2FuIGJlIGxlc3Mg dGhhbiBMRU5JIGlmIHRoZSBmdW5jdGlvbiBhbHRlcnMgdGhlIGxpc3QuCkFsbCBjYWxsZXJz IGNoYW5nZWQuICAoQnVnIzI0MTE4KQotLS0KIHNyYy9mbnMuYyB8IDc3ICsrKysrKysrKysr KysrKysrKysrKysrKystLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQog MSBmaWxlIGNoYW5nZWQsIDMwIGluc2VydGlvbnMoKyksIDQ3IGRlbGV0aW9ucygtKQoKZGlm ZiAtLWdpdCBhL3NyYy9mbnMuYyBiL3NyYy9mbnMuYwppbmRleCBjMzE4NjA4Li4zODk1YWRh IDEwMDY0NAotLS0gYS9zcmMvZm5zLmMKKysrIGIvc3JjL2Zucy5jCkBAIC0yNTE3LDExICsy NTE3LDEzIEBAIHVzYWdlOiAobmNvbmMgJnJlc3QgTElTVFMpICAqLykKIH0KIAwKIC8qIFRo aXMgaXMgdGhlIGd1dHMgb2YgYWxsIG1hcHBpbmcgZnVuY3Rpb25zLgotIEFwcGx5IEZOIHRv IGVhY2ggZWxlbWVudCBvZiBTRVEsIG9uZSBieSBvbmUsCi0gc3RvcmluZyB0aGUgcmVzdWx0 cyBpbnRvIGVsZW1lbnRzIG9mIFZBTFMsIGEgQyB2ZWN0b3Igb2YgTGlzcF9PYmplY3RzLgot IExFTkkgaXMgdGhlIGxlbmd0aCBvZiBWQUxTLCB3aGljaCBzaG91bGQgYWxzbyBiZSB0aGUg bGVuZ3RoIG9mIFNFUS4gICovCisgICBBcHBseSBGTiB0byBlYWNoIGVsZW1lbnQgb2YgU0VR LCBvbmUgYnkgb25lLCBzdG9yaW5nIHRoZSByZXN1bHRzCisgICBpbnRvIGVsZW1lbnRzIG9m IFZBTFMsIGEgQyB2ZWN0b3Igb2YgTGlzcF9PYmplY3RzLiAgTEVOSSBpcyB0aGUKKyAgIGxl bmd0aCBvZiBWQUxTLCB3aGljaCBzaG91bGQgYWxzbyBiZSB0aGUgbGVuZ3RoIG9mIFNFUS4g IFJldHVybiB0aGUKKyAgIG51bWJlciBvZiByZXN1bHRzOyBhbHRob3VnaCB0aGlzIGlzIG5v cm1hbGx5IExFTkksIGl0IGNhbiBiZSBsZXNzCisgICBpZiBTRVEgaXMgbWFkZSBzaG9ydGVy IGFzIGEgc2lkZSBlZmZlY3Qgb2YgRk4uICAqLwogCi1zdGF0aWMgdm9pZAorc3RhdGljIEVN QUNTX0lOVAogbWFwY2FyMSAoRU1BQ1NfSU5UIGxlbmksIExpc3BfT2JqZWN0ICp2YWxzLCBM aXNwX09iamVjdCBmbiwgTGlzcF9PYmplY3Qgc2VxKQogewogICBMaXNwX09iamVjdCB0YWls LCBkdW1teTsKQEAgLTI1NjQsMTQgKzI1NjYsMTggQEAgbWFwY2FyMSAoRU1BQ1NfSU5UIGxl bmksIExpc3BfT2JqZWN0ICp2YWxzLCBMaXNwX09iamVjdCBmbiwgTGlzcF9PYmplY3Qgc2Vx KQogICBlbHNlICAgLyogTXVzdCBiZSBhIGxpc3QsIHNpbmNlIEZsZW5ndGggZGlkIG5vdCBn ZXQgYW4gZXJyb3IgKi8KICAgICB7CiAgICAgICB0YWlsID0gc2VxOwotICAgICAgZm9yIChp ID0gMDsgaSA8IGxlbmkgJiYgQ09OU1AgKHRhaWwpOyBpKyspCisgICAgICBmb3IgKGkgPSAw OyBpIDwgbGVuaTsgaSsrKQogCXsKKwkgIGlmICghIENPTlNQICh0YWlsKSkKKwkgICAgcmV0 dXJuIGk7CiAJICBkdW1teSA9IGNhbGwxIChmbiwgWENBUiAodGFpbCkpOwogCSAgaWYgKHZh bHMpCiAJICAgIHZhbHNbaV0gPSBkdW1teTsKIAkgIHRhaWwgPSBYQ0RSICh0YWlsKTsKIAl9 CiAgICAgfQorCisgIHJldHVybiBsZW5pOwogfQogCiBERUZVTiAoIm1hcGNvbmNhdCIsIEZt YXBjb25jYXQsIFNtYXBjb25jYXQsIDMsIDMsIDAsCkBAIC0yNTgxLDM0ICsyNTg3LDI2IEBA IFNFUEFSQVRPUiByZXN1bHRzIGluIHNwYWNlcyBiZXR3ZWVuIHRoZSB2YWx1ZXMgcmV0dXJu ZWQgYnkgRlVOQ1RJT04uCiBTRVFVRU5DRSBtYXkgYmUgYSBsaXN0LCBhIHZlY3RvciwgYSBi b29sLXZlY3Rvciwgb3IgYSBzdHJpbmcuICAqLykKICAgKExpc3BfT2JqZWN0IGZ1bmN0aW9u LCBMaXNwX09iamVjdCBzZXF1ZW5jZSwgTGlzcF9PYmplY3Qgc2VwYXJhdG9yKQogewotICBM aXNwX09iamVjdCBsZW47Ci0gIEVNQUNTX0lOVCBsZW5pOwotICBFTUFDU19JTlQgbmFyZ3M7 Ci0gIHB0cmRpZmZfdCBpOwotICBMaXNwX09iamVjdCAqYXJnczsKLSAgTGlzcF9PYmplY3Qg cmV0OwogICBVU0VfU0FGRV9BTExPQ0E7Ci0KLSAgbGVuID0gRmxlbmd0aCAoc2VxdWVuY2Up OworICBFTUFDU19JTlQgbGVuaSA9IFhGQVNUSU5UIChGbGVuZ3RoIChzZXF1ZW5jZSkpOwog ICBpZiAoQ0hBUl9UQUJMRV9QIChzZXF1ZW5jZSkpCiAgICAgd3JvbmdfdHlwZV9hcmd1bWVu dCAoUWxpc3RwLCBzZXF1ZW5jZSk7Ci0gIGxlbmkgPSBYSU5UIChsZW4pOwotICBuYXJncyA9 IGxlbmkgKyBsZW5pIC0gMTsKLSAgaWYgKG5hcmdzIDwgMCkgcmV0dXJuIGVtcHR5X3VuaWJ5 dGVfc3RyaW5nOwotCi0gIFNBRkVfQUxMT0NBX0xJU1AgKGFyZ3MsIG5hcmdzKTsKLQotICBt YXBjYXIxIChsZW5pLCBhcmdzLCBmdW5jdGlvbiwgc2VxdWVuY2UpOworICBFTUFDU19JTlQg YXJnc19hbGxvYyA9IDIgKiBsZW5pIC0gMTsKKyAgaWYgKGFyZ3NfYWxsb2MgPCAwKQorICAg IHJldHVybiBlbXB0eV91bmlieXRlX3N0cmluZzsKKyAgTGlzcF9PYmplY3QgKmFyZ3M7Cisg IFNBRkVfQUxMT0NBX0xJU1AgKGFyZ3MsIGFyZ3NfYWxsb2MpOworICBwdHJkaWZmX3Qgbm1h cHBlZCA9IG1hcGNhcjEgKGxlbmksIGFyZ3MsIGZ1bmN0aW9uLCBzZXF1ZW5jZSk7CisgIHB0 cmRpZmZfdCBuYXJncyA9IDIgKiBubWFwcGVkIC0gMTsKIAotICBmb3IgKGkgPSBsZW5pIC0g MTsgaSA+IDA7IGktLSkKKyAgZm9yIChwdHJkaWZmX3QgaSA9IG5tYXBwZWQgLSAxOyBpID4g MDsgaS0tKQogICAgIGFyZ3NbaSArIGldID0gYXJnc1tpXTsKIAotICBmb3IgKGkgPSAxOyBp IDwgbmFyZ3M7IGkgKz0gMikKKyAgZm9yIChwdHJkaWZmX3QgaSA9IDE7IGkgPCBuYXJnczsg aSArPSAyKQogICAgIGFyZ3NbaV0gPSBzZXBhcmF0b3I7CiAKLSAgcmV0ID0gRmNvbmNhdCAo bmFyZ3MsIGFyZ3MpOworICBMaXNwX09iamVjdCByZXQgPSBGY29uY2F0IChuYXJncywgYXJn cyk7CiAgIFNBRkVfRlJFRSAoKTsKLQogICByZXR1cm4gcmV0OwogfQogCkBAIC0yNjE4LDI0 ICsyNjE2LDE1IEBAIFRoZSByZXN1bHQgaXMgYSBsaXN0IGp1c3QgYXMgbG9uZyBhcyBTRVFV RU5DRS4KIFNFUVVFTkNFIG1heSBiZSBhIGxpc3QsIGEgdmVjdG9yLCBhIGJvb2wtdmVjdG9y LCBvciBhIHN0cmluZy4gICovKQogICAoTGlzcF9PYmplY3QgZnVuY3Rpb24sIExpc3BfT2Jq ZWN0IHNlcXVlbmNlKQogewotICByZWdpc3RlciBMaXNwX09iamVjdCBsZW47Ci0gIHJlZ2lz dGVyIEVNQUNTX0lOVCBsZW5pOwotICByZWdpc3RlciBMaXNwX09iamVjdCAqYXJnczsKLSAg TGlzcF9PYmplY3QgcmV0OwogICBVU0VfU0FGRV9BTExPQ0E7Ci0KLSAgbGVuID0gRmxlbmd0 aCAoc2VxdWVuY2UpOworICBFTUFDU19JTlQgbGVuaSA9IFhGQVNUSU5UIChGbGVuZ3RoIChz ZXF1ZW5jZSkpOwogICBpZiAoQ0hBUl9UQUJMRV9QIChzZXF1ZW5jZSkpCiAgICAgd3Jvbmdf dHlwZV9hcmd1bWVudCAoUWxpc3RwLCBzZXF1ZW5jZSk7Ci0gIGxlbmkgPSBYRkFTVElOVCAo bGVuKTsKLQorICBMaXNwX09iamVjdCAqYXJnczsKICAgU0FGRV9BTExPQ0FfTElTUCAoYXJn cywgbGVuaSk7Ci0KLSAgbWFwY2FyMSAobGVuaSwgYXJncywgZnVuY3Rpb24sIHNlcXVlbmNl KTsKLQotICByZXQgPSBGbGlzdCAobGVuaSwgYXJncyk7CisgIHB0cmRpZmZfdCBubWFwcGVk ID0gbWFwY2FyMSAobGVuaSwgYXJncywgZnVuY3Rpb24sIHNlcXVlbmNlKTsKKyAgTGlzcF9P YmplY3QgcmV0ID0gRmxpc3QgKG5tYXBwZWQsIGFyZ3MpOwogICBTQUZFX0ZSRUUgKCk7Ci0K ICAgcmV0dXJuIHJldDsKIH0KIApAQCAtMjY2MSwyMSArMjY1MCwxNSBAQCB0aGUgcmVzdWx0 cyBieSBhbHRlcmluZyB0aGVtICh1c2luZyBgbmNvbmMnKS4KIFNFUVVFTkNFIG1heSBiZSBh IGxpc3QsIGEgdmVjdG9yLCBhIGJvb2wtdmVjdG9yLCBvciBhIHN0cmluZy4gKi8pCiAgICAg IChMaXNwX09iamVjdCBmdW5jdGlvbiwgTGlzcF9PYmplY3Qgc2VxdWVuY2UpCiB7Ci0gIHJl Z2lzdGVyIEVNQUNTX0lOVCBsZW5pOwotICByZWdpc3RlciBMaXNwX09iamVjdCAqYXJnczsK LSAgTGlzcF9PYmplY3QgcmV0OwogICBVU0VfU0FGRV9BTExPQ0E7Ci0KKyAgRU1BQ1NfSU5U IGxlbmkgPSBYRkFTVElOVCAoRmxlbmd0aCAoc2VxdWVuY2UpKTsKICAgaWYgKENIQVJfVEFC TEVfUCAoc2VxdWVuY2UpKQogICAgIHdyb25nX3R5cGVfYXJndW1lbnQgKFFsaXN0cCwgc2Vx dWVuY2UpOwotCi0gIGxlbmkgPSBYRkFTVElOVCAoRmxlbmd0aCAoc2VxdWVuY2UpKTsKKyAg TGlzcF9PYmplY3QgKmFyZ3M7CiAgIFNBRkVfQUxMT0NBX0xJU1AgKGFyZ3MsIGxlbmkpOwot ICBtYXBjYXIxIChsZW5pLCBhcmdzLCBmdW5jdGlvbiwgc2VxdWVuY2UpOwotICByZXQgPSBG bmNvbmMgKGxlbmksIGFyZ3MpOwotCisgIHB0cmRpZmZfdCBubWFwcGVkID0gbWFwY2FyMSAo bGVuaSwgYXJncywgZnVuY3Rpb24sIHNlcXVlbmNlKTsKKyAgTGlzcF9PYmplY3QgcmV0ID0g Rm5jb25jIChubWFwcGVkLCBhcmdzKTsKICAgU0FGRV9GUkVFICgpOwotCiAgIHJldHVybiBy ZXQ7CiB9CiAMCi0tIAoyLjUuNQoK --------------31AB2BD2E5BED9724559CC08-- ------------=_1470187022-23232-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 31 Jul 2016 12:47:14 +0000 Received: from localhost ([127.0.0.1]:51985 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bTq9C-0008A2-Lp for submit@debbugs.gnu.org; Sun, 31 Jul 2016 08:47:14 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54194) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bTq9B-00089q-QN for submit@debbugs.gnu.org; Sun, 31 Jul 2016 08:47:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bTq95-0004vq-SN for submit@debbugs.gnu.org; Sun, 31 Jul 2016 08:47:08 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:41682) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bTq95-0004vl-PZ for submit@debbugs.gnu.org; Sun, 31 Jul 2016 08:47:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45158) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bTq93-0003rk-MS for bug-gnu-emacs@gnu.org; Sun, 31 Jul 2016 08:47:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bTq8z-0004vQ-Il for bug-gnu-emacs@gnu.org; Sun, 31 Jul 2016 08:47:04 -0400 Received: from mail-pf0-x244.google.com ([2607:f8b0:400e:c00::244]:34494) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bTq8z-0004vM-As for bug-gnu-emacs@gnu.org; Sun, 31 Jul 2016 08:47:01 -0400 Received: by mail-pf0-x244.google.com with SMTP id g202so8487920pfb.1 for ; Sun, 31 Jul 2016 05:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:mime-version; bh=VoT5n+v2IaCscqcyeLkCCz82mxoTD/vnSNiJaCg1eIM=; b=arRndn4tXJjijKuwcT26g61mW0tmq96TGhKZE8VzEO2Ht72wkH8UVO83TPxjKb5f1N t18qMPSu7XO4Z2uEn5FLCQHDf1lGd/SRtvQnEHORcY21sIct+uRLuQm6X5bQ7jslBfbl 0m5aEx9eGtih3lRJ+4sf5M5GIexWDPm8P8x4Ka5QkZRW2QCm23zOzka+1tb9qJVOhneO 5EBzwy1iW4Goat/4FZBjZvyd0s/SvKT6hAH3aAIlTxkIjoUEsPjNIavHKNr1shMSQ/NR sIIsh4OIQqeh+nJk8UbSokuo/3fm/370KGkvCQb6XMbyQi7zRDgGXM9QG6AWV6d+h4IZ 8cLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=VoT5n+v2IaCscqcyeLkCCz82mxoTD/vnSNiJaCg1eIM=; b=WrTUgsfhS0Mi33UMfCG56/kXf5MrQ9o5Lp/4DVueh4v9z2HIfEOcsOxGOzH1LCJqkk 014ilZ6TrWFRpBepcvOrWIMbGVDpjGD9DvQEg62GT6P/xpYddqkC/xhESjL1YhHCuqa1 oM68ecSvOv1BUtHtjSvcCOkY6Sw/U8HIgNwbeir+++Lic6VUJI9GqsSuLcyjthj6k4Q3 4WgT5bYh+ypsobexOuPJfw34zQUxceQTgQXrmHh4GBwcGjtzdQhkjbMZZHWe2tBmUd52 N7lfsvXrGif6Lcr1e4WwSou5THVMiY2Exogr3ZmYethYFSO/6/9VtoK+xmXsUTExx9sz 01qw== X-Gm-Message-State: AEkoousEv0j+PoAAmlNBZoY2f6s7M4SqHt3L7wV/rsffrZVGFlZmp6hXKAz3EKy6ZoQSsA== X-Received: by 10.98.155.17 with SMTP id r17mr86302496pfd.24.1469969219708; Sun, 31 Jul 2016 05:46:59 -0700 (PDT) Received: from tpx ([209.141.62.125]) by smtp.gmail.com with ESMTPSA id wp4sm38213646pab.15.2016.07.31.05.46.57 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 31 Jul 2016 05:46:58 -0700 (PDT) From: Chris Feng To: bug-gnu-emacs@gnu.org Subject: 25.1; [PATCH] Fix a possible crash caused by mapcar1 Date: Sun, 31 Jul 2016 20:46:50 +0800 Message-ID: <86fuqq2cw5.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Processing a list with `mapcar' or `mapconcat' can be terminated early when the list is tampered (as shown in the following example), and as a result we'll be dealing with uninitialized memory which will likely trigger a crash. (setq a (make-list 10 0)) (mapcar (lambda (_) (setcdr a nil)) a) Chris --- * src/fns.c (mapcar1): Check and reset uninitialized list elements. --- src/fns.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/fns.c b/src/fns.c index d5a1f74..1804bce 100644 --- a/src/fns.c +++ b/src/fns.c @@ -2524,6 +2524,10 @@ mapcar1 (EMACS_INT leni, Lisp_Object *vals, Lisp_Object fn, Lisp_Object seq) vals[i] = dummy; tail = XCDR (tail); } + + /* In case the list was tampered and the loop terminated early. */ + if (i < leni) + memclear (vals + i, (leni - i) * word_size); } } -- 2.8.1 ------------=_1470187022-23232-1--