GNU bug report logs - #31186
27.0.50; Undefined behavior in lisp_file_lexically_bound_p

Previous Next

Package: emacs;

Reported by: Philipp <p.stephani2 <at> gmail.com>

Date: Tue, 17 Apr 2018 00:29:02 UTC

Severity: normal

Tags: confirmed

Found in version 27.0.50

Done: Andreas Schwab <schwab <at> suse.de>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31186 in the body.
You can then email your comments to 31186 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#31186; Package emacs. (Tue, 17 Apr 2018 00:29:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Philipp <p.stephani2 <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Tue, 17 Apr 2018 00:29:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Philipp <p.stephani2 <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 27.0.50; Undefined behavior in lisp_file_lexically_bound_p
Date: Tue, 17 Apr 2018 02:27:55 +0200

Loading a file or evaluating a buffer with the following contents causes
undefined behavior, normally resulting in a segmentation fault:

;; -*- -:*-

For example:

$ emacs -Q -batch -nw -eval '(with-temp-buffer (insert ";; -*- -:*-") (eval-buffer))'
Fatal error 11: Segmentation faultAbort trap: 6

Backtrace:

(lldb) run -Q -batch -nw -l /tmp/crash.el
Process 45748 launched: '/Users/p/Entwicklung/Emacs/master/src/emacs' (x86_64)
Process 45748 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fffefbf7a8e)
    frame #0: 0x0000000100373f19 emacs`lisp_file_lexically_bound_p(readcharfun=(i = 0x0000000101505955)) at lread.c:936
   933 		      if (! in_file_vars)
   934 			/* The value was terminated by an end-marker, which remove.  */
   935 			i -= 3;
-> 936 		      while (i > 0 && (val[i - 1] == ' ' || val[i - 1] == '\t'))
   937 			i--;
   938 		      val[i] = '\0';
   939 	
Target 0: (emacs) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fffefbf7a8e)
  * frame #0: 0x0000000100373f19 emacs`lisp_file_lexically_bound_p(readcharfun=(i = 0x0000000101505955)) at lread.c:936
    frame #1: 0x000000010037563c emacs`Feval_buffer(buffer=(i = 0x0000000101505955), printflag=(i = 0x0000000000000000), filename=(i = 0x0000000101126a64), unibyte=(i = 0x0000000000000000), do_allow_print=(i = 0x000000000000b8e0)) at lread.c:2140
    frame #2: 0x000000010030a643 emacs`funcall_subr(subr=0x000000010093c920, numargs=5, args=0x00007ffeefbf7fa0) at eval.c:2910
    frame #3: 0x0000000100308bfb emacs`Ffuncall(nargs=6, args=0x00007ffeefbf7f98) at eval.c:2823
    frame #4: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x000000010055da5c), vector=(i = 0x000000010055da7d), maxdepth=(i = 0x000000000000001a), args_template=(i = 0x0000000000000000), nargs=0, args=0x0000000000000000) at bytecode.c:632
    frame #5: 0x000000010030b22f emacs`funcall_lambda(fun=(i = 0x000000010055d9dd), nargs=4, arg_vector=0x00007ffeefbf9468) at eval.c:3102
    frame #6: 0x0000000100308c4b emacs`Ffuncall(nargs=5, args=0x00007ffeefbf9460) at eval.c:2825
    frame #7: 0x0000000100309dd9 emacs`call4(fn=(i = 0x00000000076b1188), arg1=(i = 0x0000000101126a64), arg2=(i = 0x0000000101126a64), arg3=(i = 0x0000000000000000), arg4=(i = 0x000000000000b8e0)) at eval.c:2699
    frame #8: 0x000000010037172f emacs`Fload(file=(i = 0x0000000101306f34), noerror=(i = 0x0000000000000000), nomessage=(i = 0x000000000000b8e0), nosuffix=(i = 0x0000000000000000), must_suffix=(i = 0x0000000000000000)) at lread.c:1366
    frame #9: 0x000000010030a643 emacs`funcall_subr(subr=0x000000010093c8f0, numargs=3, args=0x00007ffeefbf9d58) at eval.c:2910
    frame #10: 0x0000000100308bfb emacs`Ffuncall(nargs=4, args=0x00007ffeefbf9d50) at eval.c:2823
    frame #11: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x000000010063d05c), vector=(i = 0x000000010063d07d), maxdepth=(i = 0x000000000000005e), args_template=(i = 0x0000000000000406), nargs=1, args=0x00007ffeefbfb5e8) at bytecode.c:632
    frame #12: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x000000010063d02d), nargs=1, arg_vector=0x00007ffeefbfb5e0) at eval.c:3024
    frame #13: 0x0000000100308c4b emacs`Ffuncall(nargs=2, args=0x00007ffeefbfb5d8) at eval.c:2825
    frame #14: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x0000000100637974), vector=(i = 0x0000000100637995), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfd038) at bytecode.c:632
    frame #15: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x0000000100637945), nargs=0, arg_vector=0x00007ffeefbfd038) at eval.c:3024
    frame #16: 0x0000000100308c4b emacs`Ffuncall(nargs=1, args=0x00007ffeefbfd030) at eval.c:2825
    frame #17: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x0000000100636924), vector=(i = 0x0000000100636945), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfe4d0) at bytecode.c:632
    frame #18: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x00000001006368f5), nargs=0, arg_vector=0x00007ffeefbfe4d0) at eval.c:3024
    frame #19: 0x00000001002fedb3 emacs`apply_lambda(fun=(i = 0x00000001006368f5), args=(i = 0x0000000000000000), count=4) at eval.c:2960
    frame #20: 0x00000001002efa3c emacs`eval_sub(form=(i = 0x0000000107862053)) at eval.c:2333
    frame #21: 0x00000001002faa37 emacs`Feval(form=(i = 0x0000000107862053), lexical=(i = 0x0000000000000000)) at eval.c:2108
    frame #22: 0x00000001001d9a9a emacs`top_level_2 at keyboard.c:1120
    frame #23: 0x00000001002f8e9f emacs`internal_condition_case(bfun=(emacs`top_level_2 at keyboard.c:1119), handlers=(i = 0x0000000000004a10), hfun=(emacs`cmd_error at keyboard.c:939)) at eval.c:1334
    frame #24: 0x00000001001d9741 emacs`top_level_1(ignore=(i = 0x0000000000000000)) at keyboard.c:1128
    frame #25: 0x00000001002f80a8 emacs`internal_catch(tag=(i = 0x000000000000bf10), func=(emacs`top_level_1 at keyboard.c:1125), arg=(i = 0x0000000000000000)) at eval.c:1099
    frame #26: 0x00000001001bb9a1 emacs`command_loop at keyboard.c:1089
    frame #27: 0x00000001001bb7e4 emacs`recursive_edit_1 at keyboard.c:696
    frame #28: 0x00000001001bbc11 emacs`Frecursive_edit at keyboard.c:767
    frame #29: 0x00000001001b9289 emacs`main(argc=6, argv=0x00007ffeefbff798) at emacs.c:1720
    frame #30: 0x00007fff6b0dd115 libdyld.dylib`start + 1
    frame #31: 0x00007fff6b0dd115 libdyld.dylib`start + 1

My guess is that `i' wraps around in line 935.

Found by american fuzzy lop.


In GNU Emacs 27.0.50 (build 63, x86_64-apple-darwin17.4.0, NS appkit-1561.20 Version 10.13.3 (Build 17D102))
 of 2018-04-17 built on p
Repository revision: b0d261e29e5c1ffb9bc76e3519dd7525ab1edac4
Windowing system distributor 'Apple', version 10.3.1561
System Description:  Mac OS X 10.13.3

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-pop --with-mailutils
 --enable-gcc-warnings=yes --enable-checking
 --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0''

Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES THREADS
JSON

Important settings:
  value of $LANG: de_DE.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny seq byte-opt gv
bytecomp byte-compile cconv dired dired-loaddefs format-spec rfc822 mml
easymenu mml-sec password-cache epa derived epg epg-config gnus-util
rmail rmail-loaddefs mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils time-date elec-pair
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/ns-win ns-win ucs-normalize mule-util term/common-win
tool-bar dnd fontset image regexp-opt fringe tabulated-list replace
newcomment text-mode elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core term/tty-colors frame cl-generic
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech
european ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote kqueue cocoa ns
multi-tty make-network-process emacs)

Memory information:
((conses 16 204572 6900)
 (symbols 48 19993 1)
 (miscs 40 56 173)
 (strings 32 28833 1950)
 (string-bytes 1 772113)
 (vectors 16 35272)
 (vector-slots 8 721614 13568)
 (floats 8 51 65)
 (intervals 56 210 0)
 (buffers 992 11))
Added tag(s) confirmed. Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Tue, 17 Apr 2018 00:42:02 GMT) Full text and rfc822 format available.
Reply sent to Andreas Schwab <schwab <at> suse.de>:
You have taken responsibility. (Tue, 17 Apr 2018 09:49:01 GMT) Full text and rfc822 format available.
Notification sent to Philipp <p.stephani2 <at> gmail.com>:
bug acknowledged by developer. (Tue, 17 Apr 2018 09:49:01 GMT) Full text and rfc822 format available.

Message #12 received at 31186-done <at> debbugs.gnu.org (full text, mbox):

From: Andreas Schwab <schwab <at> suse.de>
To: Philipp <p.stephani2 <at> gmail.com>
Cc: 31186-done <at> debbugs.gnu.org
Subject: Re: bug#31186: 27.0.50;
 Undefined behavior in lisp_file_lexically_bound_p
Date: Tue, 17 Apr 2018 11:48:04 +0200

On Apr 17 2018, Philipp <p.stephani2 <at> gmail.com> wrote:

> Loading a file or evaluating a buffer with the following contents causes
> undefined behavior, normally resulting in a segmentation fault:
>
> ;; -*- -:*-
>
> For example:
>
> $ emacs -Q -batch -nw -eval '(with-temp-buffer (insert ";; -*- -:*-") (eval-buffer))'
> Fatal error 11: Segmentation faultAbort trap: 6

I have installed this patch in the emacs-26 branch:

* src/lread.c (lisp_file_lexically_bound_p): Reset
beg_end_state before reading variable or value.
---
 src/lread.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lread.c b/src/lread.c
index 3104c441ec..72523c057f 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -896,6 +896,7 @@ lisp_file_lexically_bound_p (Lisp_Object readcharfun)
 	    ch = READCHAR;
 
 	  i = 0;
+	  beg_end_state = NOMINAL;
 	  while (ch != ':' && ch != '\n' && ch != EOF && in_file_vars)
 	    {
 	      if (i < sizeof var - 1)
@@ -921,6 +922,7 @@ lisp_file_lexically_bound_p (Lisp_Object readcharfun)
 		ch = READCHAR;
 
 	      i = 0;
+	      beg_end_state = NOMINAL;
 	      while (ch != ';' && ch != '\n' && ch != EOF && in_file_vars)
 		{
 		  if (i < sizeof val - 1)
-- 
2.17.0


Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab <at> suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 15 May 2018 11:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 35 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.