GNU bug report logs -
#35576
27.0.50; Emacs crash when reads an integer with radix > 36
Previous Next
Reported by: Tino Calancha <tino.calancha <at> gmail.com>
Date: Sun, 5 May 2019 11:38:02 UTC
Severity: normal
Found in version 27.0.50
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#35576: 27.0.50; Emacs crash when reads an integer with radix > 36
which was filed against the emacs package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 35576 <at> debbugs.gnu.org.
--
35576: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=35576
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
> From: Tino Calancha <tino.calancha <at> gmail.com>
> Date: Sun, 05 May 2019 20:37:08 +0900
>
> emacs -Q:
> ;; Emacs crash when you eval the following form
> M-: #37r1
>
> ;; Expected: you get the error:
> ;; Invalid read syntax: "integer, radix 37"
>
>
>
> In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
> of 2019-05-05
> Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
> System Description: Debian GNU/Linux 9 (stretch)
>
>
> --8<-----------------------------cut here---------------start------------->8---
> commit c5ffba787a10f80d17a0ebc7fc7e1fb0f754843d
> Author: Tino Calancha <tino.calancha <at> gmail.com>
> Date: Sun May 5 20:24:03 2019 +0900
>
> src/lread.c (read_integer): Prevent from accessing a null buffer
Thanks, I installed a slightly different fix (there's no need to call
xfree, since record_unwind_protect_ptr already takes care of that).
[Message part 3 (message/rfc822, inline)]
emacs -Q:
;; Emacs crash when you eval the following form
M-: #37r1
;; Expected: you get the error:
;; Invalid read syntax: "integer, radix 37"
In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
of 2019-05-05
Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
System Description: Debian GNU/Linux 9 (stretch)
--8<-----------------------------cut here---------------start------------->8---
commit c5ffba787a10f80d17a0ebc7fc7e1fb0f754843d
Author: Tino Calancha <tino.calancha <at> gmail.com>
Date: Sun May 5 20:24:03 2019 +0900
src/lread.c (read_integer): Prevent from accessing a null buffer
diff --git a/src/lread.c b/src/lread.c
index 1c97805ca7..810e24d614 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2660,19 +2660,17 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
Also, room for invalid syntax diagnostic. */
size_t len = max (1 + 1 + UINTMAX_WIDTH + 1,
sizeof "integer, radix " + INT_STRLEN_BOUND (EMACS_INT));
- char *buf = NULL;
+ char *buf = xmalloc (len);
char *p = buf;
int valid = -1; /* 1 if valid, 0 if not, -1 if incomplete. */
ptrdiff_t count = SPECPDL_INDEX ();
-
if (radix < 2 || radix > 36)
valid = 0;
else
{
int c, digit;
- buf = xmalloc (len);
record_unwind_protect_ptr (free_contents, &buf);
p = buf;
@@ -2718,8 +2716,10 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
if (valid != 1)
{
- sprintf (buf, "integer, radix %"pI"d", radix);
- invalid_syntax (buf);
+ xfree (buf);
+ char str[len];
+ sprintf (str, "integer, radix %"pI"d", radix);
+ invalid_syntax (str);
}
*p = '\0';
--8<-----------------------------cut here---------------end--------------->8---
This bug report was last modified 6 years and 18 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.