GNU bug report logs - #55068
29.0.50; crashes when trying to set default font

Previous Next

Package: emacs;

Reported by: Gregor Zattler <telegraph <at> gmx.net>

Date: Fri, 22 Apr 2022 18:39:02 UTC

Severity: normal

Tags: confirmed

Found in version 29.0.50

Full log

View this message in rfc822 format

From: Po Lu <luangruo <at> yahoo.com>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 55068 <at> debbugs.gnu.org, telegraph <at> gmx.net
Subject: bug#55068: 29.0.50; crashes when trying to set default font
Date: Mon, 23 May 2022 20:29:23 +0800

Lars Ingebrigtsen <larsi <at> gnus.org> writes:

> ==3291841== Warning: client switching stacks?  SP change: 0x1ffeffdf60 --> 0x1ffe619240
> ==3291841==          to suppress, use: --max-stackframe=10374432 or greater
> ==3291841== Warning: client switching stacks?  SP change: 0x1ffe619240 --> 0x1ffdc34520
> ==3291841==          to suppress, use: --max-stackframe=10374432 or greater
> ==3291841== Invalid write of size 8
> ==3291841==    at 0x1E43BF: x_menu_show (xmenu.c:1903)
> ==3291841==  Address 0x1ffdc34518 is on thread 1's stack

The stack overflowed because of the two allocas.  Does it still crash
with this patch?

diff --git a/src/xmenu.c b/src/xmenu.c
index aaf53569a7..e9601981ed 100644
--- a/src/xmenu.c
+++ b/src/xmenu.c
@@ -1894,13 +1894,19 @@ x_menu_show (struct frame *f, int x, int y, int menuflags,
 {
   int i;
   widget_value *wv, *save_wv = 0, *first_wv = 0, *prev_wv = 0;
-  widget_value **submenu_stack
-    = alloca (menu_items_used * sizeof *submenu_stack);
-  Lisp_Object *subprefix_stack
-    = alloca (menu_items_used * sizeof *subprefix_stack);
+  widget_value **submenu_stack;
+  Lisp_Object *subprefix_stack;
   int submenu_depth = 0;
+  specpdl_ref specpdl_count;
 
-  specpdl_ref specpdl_count = SPECPDL_INDEX ();
+  USE_SAFE_ALLOCA;
+
+  submenu_stack = SAFE_ALLOCA (menu_items_used
+			       * sizeof *submenu_stack);
+  subprefix_stack = SAFE_ALLOCA (menu_items_used
+				 * sizeof *subprefix_stack);
+
+  specpdl_count = SPECPDL_INDEX ();
 
   eassert (FRAME_X_P (f));
 
@@ -1909,6 +1915,7 @@ x_menu_show (struct frame *f, int x, int y, int menuflags,
   if (menu_items_used <= MENU_ITEMS_PANE_LENGTH)
     {
       *error_name = "Empty menu";
+      SAFE_FREE ();
       return Qnil;
     }
 
@@ -2141,6 +2148,8 @@ x_menu_show (struct frame *f, int x, int y, int menuflags,
 			  entry = Fcons (subprefix_stack[j], entry);
 		    }
 		  unblock_input ();
+
+		  SAFE_FREE ();
 		  return entry;
 		}
 	      i += MENU_ITEMS_ITEM_LENGTH;
@@ -2155,6 +2164,8 @@ x_menu_show (struct frame *f, int x, int y, int menuflags,
     }
 
   unblock_input ();
+
+  SAFE_FREE ();
   return Qnil;
 }
This bug report was last modified 2 years and 361 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.