GNU bug report logs - #24118
25.1; [PATCH] Fix a possible crash caused by mapcar1

Previous Next

Package: emacs;

Reported by: Chris Feng <chris.w.feng <at> gmail.com>

Date: Sun, 31 Jul 2016 12:48:01 UTC

Severity: normal

Tags: patch

Found in version 25.1

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log


View this message in rfc822 format

From: Chris Feng <chris.w.feng <at> gmail.com>
To: 24118 <at> debbugs.gnu.org
Subject: bug#24118: 25.1; [PATCH] Fix a possible crash caused by mapcar1
Date: Sun, 31 Jul 2016 20:46:50 +0800
Processing a list with `mapcar' or `mapconcat' can be terminated early
when the list is tampered (as shown in the following example), and as a
result we'll be dealing with uninitialized memory which will likely
trigger a crash.

  (setq a (make-list 10 0))
  (mapcar (lambda (_)
            (setcdr a nil))
          a)

Chris

---

* src/fns.c (mapcar1): Check and reset uninitialized list elements.
---
 src/fns.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/fns.c b/src/fns.c
index d5a1f74..1804bce 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -2524,6 +2524,10 @@ mapcar1 (EMACS_INT leni, Lisp_Object *vals, Lisp_Object fn, Lisp_Object seq)
 	    vals[i] = dummy;
 	  tail = XCDR (tail);
 	}
+
+      /* In case the list was tampered and the loop terminated early. */
+      if (i < leni)
+        memclear (vals + i, (leni - i) * word_size);
     }
 }
 
-- 
2.8.1





This bug report was last modified 8 years and 320 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.