GNU bug report logs - #5601
23.1; etags Scheme_functions past \0 terminator

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 5601 in the body.
You can then email your comments to 5601 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Kevin Ryde <user42 <at> zip.com.au>
To: bug-gnu-emacs <at> gnu.org
Subject: 23.1; etags Scheme_functions past \0 terminator
Date: Fri, 19 Feb 2010 11:13:44 +1100

[Message part 1 (text/plain, inline)]

In etags.c Scheme_functions, I think the loop

    while (notinname (*bp))
      bp++;

will take bp past the '\0' string terminator, because '\0' is a
notinname().

I can't spot any obvious ill effect, only that a line of only

    (define

is tagged, perhaps depending on what was on the line before it.  In any
case doesn't sound good to look into possibly uninitialized parts of the
input buffer.  (Another helper skip_notinname() to try to be clearer
than a double-negative loop :-)

2010-02-19  Kevin Ryde  <user42 <at> zip.com.au>

	* etags.c (Scheme_functions): Don't go past '\0' terminator.
	(skip_notinname): New helper.

[etags.c.scheme-terminator.diff (text/x-diff, attachment)]

[Message part 3 (text/plain, inline)]

In GNU Emacs 23.1.1 (i486-pc-linux-gnu, GTK+ Version 2.16.5)
 of 2009-09-14 on raven, modified by Debian
configured using `configure  '--build=i486-linux-gnu' '--host=i486-linux-gnu' '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib' '--localstatedir=/var/lib' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--with-pop=yes' '--enable-locallisppath=/etc/emacs23:/etc/emacs:/usr/local/share/emacs/23.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/23.1/site-lisp:/usr/share/emacs/site-lisp:/usr/share/emacs/23.1/leim' '--with-x=yes' '--with-x-toolkit=gtk' '--with-toolkit-scroll-bars' 'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -g -O2' 'LDFLAGS=-g' 'CPPFLAGS=''

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Francesco Potortì <pot <at> gnu.org>
To: Kevin Ryde <user42 <at> zip.com.au>
Cc: bug-gnu-emacs <at> gnu.org, owner <at> debbugs.gnu.org, 5601 <at> debbugs.gnu.org
Subject: Re: bug#5601: 23.1; etags Scheme_functions past \0 terminator
Date: Fri, 19 Feb 2010 10:39:34 +0100

>In etags.c Scheme_functions, I think the loop
>
>    while (notinname (*bp))
>      bp++;
>
>will take bp past the '\0' string terminator, because '\0' is a
>notinname().

Yes, it appears so.  This is a long-standing bug.  Thanks for spotting
it.

>(Another helper skip_notinname() to try to be clearer
>than a double-negative loop :-)

I don't think a helper function is granted here.  There is a single use
of this construct in the file, and a lot of different constructs: we
have not a helper function for each of them.  Let's try to stick to the
comomn ones only, else we will only add to the confusion.  So, please do
not define a helper function for this case.

Again, I can do the change myself, or else you can do it yourself, as
you like.

>2010-02-19  Kevin Ryde  <user42 <at> zip.com.au>
>
>	* etags.c (Scheme_functions): Don't go past '\0' terminator.
>	(skip_notinname): New helper.
>
>--- etags.c.~3.93.~	2009-11-29 08:42:32.000000000 +1100
>+++ etags.c	2010-02-19 11:04:42.000000000 +1100
>@@ -4989,6 +4989,16 @@
>  *          (set! xyzzy
>  * Original code by Ken Haase (1985?)
>  */
>+
>+static char *
>+skip_notinname (char *cp)
>+{
>+  /* '\0' is a notinname(), don't continue past it */
>+  while (*cp && notinname (*cp))
>+    cp++;
>+  return cp;
>+}
>+
> static void
> Scheme_functions (inf)
>      FILE *inf;
>@@ -5001,8 +5011,7 @@
> 	{
> 	  bp = skip_non_spaces (bp+4);
> 	  /* Skip over open parens and white space */
>-	  while (notinname (*bp))
>-	    bp++;
>+	  bp = skip_notinname (bp);
> 	  get_tag (bp, NULL);
> 	}
>       if (LOOKING_AT (bp, "(SET!") || LOOKING_AT (bp, "(set!"))
>
>
>
>In GNU Emacs 23.1.1 (i486-pc-linux-gnu, GTK+ Version 2.16.5)
> of 2009-09-14 on raven, modified by Debian
>configured using `configure  '--build=i486-linux-gnu' '--host=i486-linux-gnu' '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib' '--localstatedir=/var/lib' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--with-pop=yes' '--enable-locallisppath=/etc/emacs23:/etc/emacs:/usr/local/share/emacs/23.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/23.1/site-lisp:/usr/share/emacs/site-lisp:/usr/share/emacs/23.1/leim' '--with-x=yes' '--with-x-toolkit=gtk' '--with-toolkit-scroll-bars' 'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -g -O2' 'LDFLAGS=-g' 'CPPFLAGS=''

Message #14 received at 5601 <at> debbugs.gnu.org (full text, mbox):

From: Chong Yidong <cyd <at> stupidchicken.com>
To: Francesco Potortì <pot <at> gnu.org>
Cc: Kevin Ryde <user42 <at> zip.com.au>, 5601 <at> debbugs.gnu.org
Subject: Re: bug#5601: 23.1; etags Scheme_functions past \0 terminator
Date: Sat, 20 Feb 2010 09:12:26 -0500

> >In etags.c Scheme_functions, I think the loop
> >
> >    while (notinname (*bp))
> >      bp++;
> >
> >will take bp past the '\0' string terminator, because '\0' is a
> >notinname().
>
> Yes, it appears so.  This is a long-standing bug.  Thanks for spotting
> it.
>
> >(Another helper skip_notinname() to try to be clearer
> >than a double-negative loop :-)
>
> I don't think a helper function is granted here.  There is a single use
> of this construct in the file, and a lot of different constructs: we
> have not a helper function for each of them.

I've checked in the patch, without the helper function.  Thanks.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.