GNU bug report logs - #43281
27.1; Opening a bad GIF segfaults Emacs

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43281 in the body.
You can then email your comments to 43281 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: nnoodle <nnoodle <at> chiru.no>
To: bug-gnu-emacs <at> gnu.org
Subject: 27.1; Opening a bad GIF segfaults Emacs
Date: Tue, 8 Sep 2020 20:38:30 +0700

To reproduce:
$ echo 'GIF89a;' > bad.gif
$ emacs -Q bad.gif

The result will be a segmentation fault.

In GNU Emacs 27.1 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.22.30, 
cairo version 1.15.10)
 of 2020-09-05 built on pc
Windowing system distributor 'The X.Org Foundation', version 11.0.11906000
System Description: Ubuntu 18.04.5 LTS

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --prefix=/home/me/.local/stow/emacs --with-modules
 --with-file-notification=inotify --with-mailutils --with-x=yes
 --with-x-toolkit=gtk3 --with-xwidgets --with-lcms2 --with-cairo
 --with-json --with-harfbuzz --with-threads'

Configured features:
XPM JPEG TIFF GIF PNG RSVG CAIRO SOUND GPM DBUS GSETTINGS GLIB NOTIFY
INOTIFY ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF
ZLIB TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS XWIDGETS
LIBSYSTEMD JSON PDUMPER LCMS2 GMP

Important settings:
  value of $LC_MONETARY: en_US.UTF-8
  value of $LC_NUMERIC: en_US.UTF-8
  value of $LC_TIME: en_US.UTF-8
  value of $LANG: en_US.UTF-8
  value of $XMODIFIERS: @im=ibus
  locale-coding-system: utf-8-unix

Major mode: Dired by name

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny format-spec rfc822 mml
easymenu mml-sec password-cache epa derived epg epg-config gnus-util
rmail rmail-loaddefs text-property-search seq byte-opt gv bytecomp
byte-compile cconv mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums
mm-util mail-prsvr mail-utils time-date subr-x cl-loaddefs cl-lib dired
dired-loaddefs tooltip eldoc electric uniquify ediff-hook vc-hooks
lisp-float-type mwheel term/x-win x-win term/common-win x-dnd tool-bar
dnd fontset image regexp-opt fringe tabulated-list replace newcomment
text-mode elisp-mode lisp-mode prog-mode register page tab-bar menu-bar
rfn-eshadow isearch timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core term/tty-colors frame minibuffer cl-generic
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech
european ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote threads dbusbind
inotify lcms2 dynamic-setting system-font-setting font-render-setting
xwidget-internal cairo move-toolbar gtk x-toolkit x multi-tty
make-network-process emacs)

Memory information:
((conses 16 49247 10632)
 (symbols 48 6010 1)
 (strings 32 15626 1765)
 (string-bytes 1 512136)
 (vectors 16 9296)
 (vector-slots 8 125074 13210)
 (floats 8 22 37)
 (intervals 56 904 0)
 (buffers 1000 13))

Message #8 received at 43281 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: nnoodle <nnoodle <at> chiru.no>
Cc: 43281 <at> debbugs.gnu.org
Subject: Re: bug#43281: 27.1; Opening a bad GIF segfaults Emacs
Date: Tue, 08 Sep 2020 19:18:04 +0300

> From: nnoodle <nnoodle <at> chiru.no>
> Date: Tue, 8 Sep 2020 20:38:30 +0700
> 
> 
> To reproduce:
> $ echo 'GIF89a;' > bad.gif
> $ emacs -Q bad.gif
> 
> The result will be a segmentation fault.

Thanks, fixed.

Message #11 received at 43281 <at> debbugs.gnu.org (full text, mbox):

From: Robert Pluim <rpluim <at> gmail.com>
To: nnoodle <nnoodle <at> chiru.no>
Cc: 43281 <at> debbugs.gnu.org
Subject: Re: bug#43281: 27.1; Opening a bad GIF segfaults Emacs
Date: Tue, 08 Sep 2020 19:10:53 +0200

>>>>> On Tue, 8 Sep 2020 20:38:30 +0700, nnoodle <nnoodle <at> chiru.no> said:

    nnoodle> To reproduce:
    nnoodle> $ echo 'GIF89a;' > bad.gif
    nnoodle> $ emacs -Q bad.gif

    nnoodle> The result will be a segmentation fault.

This should fix it, can you test it?

Thanks

Robert

diff --git a/src/image.c b/src/image.c
index d8c34669cc..6e3b71a869 100644
--- a/src/image.c
+++ b/src/image.c
@@ -8251,7 +8251,7 @@ gif_load (struct frame *f, struct image *img)
   Lisp_Object specified_file = image_spec_value (img->spec, QCfile, NULL);
   Lisp_Object specified_data = image_spec_value (img->spec, QCdata, NULL);
   EMACS_INT idx;
-  int gif_err;
+  int gif_err = 0;
 
   if (NILP (specified_data))
     {
@@ -8277,7 +8277,8 @@ gif_load (struct frame *f, struct image *img)
 	{
 #if HAVE_GIFERRORSTRING
 	  image_error ("Cannot open `%s': %s",
-		       file, build_string (GifErrorString (gif_err)));
+		       file, gif_err ? build_string (GifErrorString (gif_err))
+                       : build_string ("Unknown error from gif library"));
 #else
 	  image_error ("Cannot open `%s'", file);
 #endif

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.