From unknown Thu Jun 19 14:05:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#62039: Emacs crashes while parsing a long Emacs Lisp string Resent-From: Bruno Haible Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 07 Mar 2023 21:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62039 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 62039@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167822592629336 (code B ref -1); Tue, 07 Mar 2023 21:53:01 +0000 Received: (at submit) by debbugs.gnu.org; 7 Mar 2023 21:52:06 +0000 Received: from localhost ([127.0.0.1]:47313 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZfE5-0007d6-ND for submit@debbugs.gnu.org; Tue, 07 Mar 2023 16:52:05 -0500 Received: from lists.gnu.org ([209.51.188.17]:46588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZfE3-0007cy-W7 for submit@debbugs.gnu.org; Tue, 07 Mar 2023 16:52:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZfE3-0001Lt-JQ for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:52:03 -0500 Received: from mo4-p00-ob.smtp.rzone.de ([85.215.255.20]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZfE1-0005Xs-Cp for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:52:03 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1678225918; cv=none; d=strato.com; s=strato-dkim-0002; b=iY4fQcQXv3JAwj10Ar103jJofKScVQOzux6cZhuY9kdHdGOOlBkFWzfwgKKy3Jm0JT zm+eDkQJGWvr8mIJPGEZlWinPF7clEA4e7NQF+8ddtFw4SpGxP+NIqeAxaXfjWuZibMU c6whQJUB9MWB1ooq85D/E/oxOmyy7zVcPytAdUSqRZ4i0E3Wyg7kv16FNBzEnQ/EyD/V 2v7e0mz+IwaEb0h2XmJ1IS1zuHWjpYJ8VS11yvUpr50eeSC5F/I+nQjORwUR07JB5Qut PyOF+zfgJu82Tl4+TBx44oqopOTQqip4ib0SXLRMiEneqNxDsCJ9PdsPpRDLfnsnvb9x MlBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1678225918; s=strato-dkim-0002; d=strato.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=kLLDj05Dr479mN02rq7NsoCJiBA/5Twh4HMhBJ/M3jM=; b=rMco/2W/4DQEdF8Q7PH+Wvddnt9J0sUbaBIBptw7D4ZYjzk49UsAT6zmI+YSelYiXQ TkhcKGSwgktcIny3NN9RWulHIk5yYCCkfKrQkujSLyK1UnvTEAbIjDqwtC0rM6SLEOsj vT58S7zumwwidPndhlXvwjl6PE9xSH4k9ax14Mj1oc3bI1RJs08QpfNmWAzfNusaadPz b76Muvo0WqTjXSMeMjiudR5pkT0rnaSBIwGw67qy9hncONjM0DEac2i1ObkuqQUm8Cuy MoSMvoutzxeSL/jHhHjyokG5ZerHm4Davan8/mxs0BSk/ndJVp98vmccn3IIIJBfdRvp CQ/g== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1678225918; s=strato-dkim-0002; d=clisp.org; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=kLLDj05Dr479mN02rq7NsoCJiBA/5Twh4HMhBJ/M3jM=; b=oHegspyN2bS7Y5FJbM6CGR6VrIJFz9QUotMz8FwA+9Fr3FoN++IkwdC4N3cD5362k8 5tFhGg5+ZKNN0zbZxwSzco0EAMu/w+JrsnZ8AyroPyJVEzsTKOTBHrqejntIMcLR8WVd Av6g/ya1jQJGAWSw4g0ukV5Wzlx17IKrntG6/HmqGORR934bzRFaP32Lpb4lgYIcYzXW 2bQrqBKW/2jOXAEERp7Qnz+IUbsdflzhGlikDW56FDrSOUM1/gFtIuq43l5gdZAv0881 vE/YsNAEd8U66xDlfS0bo6lyAbuQVPcr1Ot6Y81F4HkOw9JzDAiKDBMYhqooRcMwtnqd JHCQ== X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH0WWb0LN8XZoH94zq68+3cfpOS3fFrz+Ge84VQq/IAw45VSGM0YQ==" Received: from nimes.localnet by smtp.strato.de (RZmta 49.3.0 AUTH) with ESMTPSA id Yddb27z27LpwraR (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Tue, 7 Mar 2023 22:51:58 +0100 (CET) From: Bruno Haible Date: Tue, 07 Mar 2023 22:51:58 +0100 Message-ID: <5401235.PpUMLH0tvb@nimes> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="nextPart3618741.tvv3v5Dze1" Content-Transfer-Encoding: 7Bit Received-SPF: none client-ip=85.215.255.20; envelope-from=bruno@clisp.org; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --nextPart3618741.tvv3v5Dze1 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" When parsing a particular long Emacs Lisp string, Emacs crashes. How to reproduce: $ emacs -Q -batch -f batch-byte-compile foo.el Segmentation fault Find attached the compressed file foo.el. Emacs version: 27.1 Platform: x86_64-linux-gnu $ ulimit -a | grep stack stack size (kbytes, -s) 8192 According to the documentation https://www.gnu.org/software/emacs/manual/html_node/emacs/Bug-Criteria.html any segmentation fault is a bug. I haven't analyzed the security impact of this bug, but it is quite possible that emacs receives a string through the network, and even though the string is not meant to be evaluated, simply parsing it causes a denial-of-service to the emacs user. The cause of the bug is that in emacs/src/lread.c the function read_escape() is recursive, and no bound on the recursion depth is enforced. --nextPart3618741.tvv3v5Dze1 Content-Disposition: attachment; filename="foo.el.gz" Content-Transfer-Encoding: base64 Content-Type: application/gzip; name="foo.el.gz" H4sICM6tB2QCA2Zvby5lbADtwjENAAAIA7AfGdNFePDvASE0bXoAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAH7b1AFbfYdzBKAPAA== --nextPart3618741.tvv3v5Dze1-- From unknown Thu Jun 19 14:05:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#62039: Emacs crashes while parsing a long Emacs Lisp string References: <5401235.PpUMLH0tvb@nimes> In-Reply-To: <5401235.PpUMLH0tvb@nimes> Resent-From: Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 08 Mar 2023 09:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62039 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Bruno Haible Cc: 62039@debbugs.gnu.org Received: via spool by 62039-submit@debbugs.gnu.org id=B62039.167826840913621 (code B ref 62039); Wed, 08 Mar 2023 09:41:01 +0000 Received: (at 62039) by debbugs.gnu.org; 8 Mar 2023 09:40:09 +0000 Received: from localhost ([127.0.0.1]:47811 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZqHI-0003Xd-Jg for submit@debbugs.gnu.org; Wed, 08 Mar 2023 04:40:08 -0500 Received: from mail1467c50.megamailservers.eu ([91.136.14.67]:56598 helo=mail268c50.megamailservers.eu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZqHF-0003Wy-8t for 62039@debbugs.gnu.org; Wed, 08 Mar 2023 04:40:06 -0500 X-Authenticated-User: mattiase@bredband.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=megamailservers.eu; s=maildub; t=1678268397; bh=7VUT5p+Ny12Z5EYaeN5b5NB3tE/ZxU8LwOqs4gvSBjw=; h=From:Subject:Date:Cc:To:From; b=lIa9s3PqiOIVLKltEVP1PO1/OKjiC4GEi+zFBSOS+yYnP9qah1jRE2258NHBMa01v HgDK+JHAj/yp9pOH2E22gx5L10Ac++Mcr7Oz2/sMEFP+LKpI3OmF8Op8TsWT4ZUgcS pn+y5u8wE4XSiQsX/olLLP/josv8kUKn+npYWNrI= Feedback-ID: mattiase@acm.or Received: from smtpclient.apple (c188-150-171-209.bredband.tele2.se [188.150.171.209]) (authenticated bits=0) by mail268c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 3289dsIC111502; Wed, 8 Mar 2023 09:39:55 +0000 From: Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.14\)) Message-Id: <1522E223-3EB8-478A-9585-17A239F23434@acm.org> Date: Wed, 8 Mar 2023 10:39:53 +0100 X-Mailer: Apple Mail (2.3654.120.0.1.14) X-VADE-SPAMSTATE: clean X-VADE-SPAMSCORE: -100 X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvhedrvdduvddgtdefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecujffquffvqffrkfetpdfqfgfvpdfgpfggqdevhedtnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhtgfgggfukfffvefvofesthhqmhdthhdtvdenucfhrhhomhepofgrthhtihgrshcugfhnghguvghgnohrugcuoehmrghtthhirghsvgesrggtmhdrohhrgheqnecuggftrfgrthhtvghrnhepudekueejlefgkeejjeegudevvefhgfekudeggedvfeejfefgleetjedtvedvhfeunecukfhppedukeekrdduhedtrddujedurddvtdelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepudekkedrudehtddrudejuddrvddtledphhgvlhhopehsmhhtphgtlhhivghnthdrrghpphhlvgdpmhgrihhlfhhrohhmpehmrghtthhirghsvgesrggtmhdrohhrghdpnhgspghrtghpthhtohepvddprhgtphhtthhopegsrhhunhhosegtlhhishhprdhorhhgpdhrtghpthhtohepiedvtdefleesuggvsggsuhhgshdrghhnuhdrohhrgh X-Origin-Country: SE X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) > The cause of the bug is that in emacs/src/lread.c the function = read_escape() is recursive, and no bound on the recursion depth is = enforced.=20 Dear me, I meant to remove that recursion during the last reader = renovation but got sidetracked. Will fix. Thank you very much for noticing and reporting this bug. From unknown Thu Jun 19 14:05:06 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Bruno Haible Subject: bug#62039: closed (Re: bug#62039: Emacs crashes while parsing a long Emacs Lisp string) Message-ID: References: <3624E3C3-1A2F-46A8-9C3B-0AB3CC7E5EC8@acm.org> <5401235.PpUMLH0tvb@nimes> X-Gnu-PR-Message: they-closed 62039 X-Gnu-PR-Package: emacs Reply-To: 62039@debbugs.gnu.org Date: Sat, 11 Mar 2023 09:26:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1678526762-29093-1" This is a multi-part message in MIME format... ------------=_1678526762-29093-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #62039: Emacs crashes while parsing a long Emacs Lisp string which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 62039@debbugs.gnu.org. --=20 62039: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D62039 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1678526762-29093-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 62039-done) by debbugs.gnu.org; 11 Mar 2023 09:25:49 +0000 Received: from localhost ([127.0.0.1]:56583 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pavU5-0007Yr-95 for submit@debbugs.gnu.org; Sat, 11 Mar 2023 04:25:49 -0500 Received: from mail1444c50.megamailservers.eu ([91.136.14.44]:59610 helo=mail264c50.megamailservers.eu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pavU2-0007YY-7K for 62039-done@debbugs.gnu.org; Sat, 11 Mar 2023 04:25:47 -0500 X-Authenticated-User: mattiase@bredband.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=megamailservers.eu; s=maildub; t=1678526738; bh=pEvTJ5okLbpiWAtErK28duLIgtXOHI2r6UV5z22K/m8=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Rt1QkhgQ1QOxIZRsqkN7waGr6ZScsPHT+rQ3qbMMhLYTie9om+mDf+YRZc9a0hiEu THKV/0Zn08/QHVMd450kUo9hr8wwDBypHOilb4WkvnFh8KCDbZisH528kwm/lnGspP 3AypMgwVZMCmBXcpDVfKAjPq7Cu2LGGK7b6PcVS4= Feedback-ID: mattiase@acm.or Received: from smtpclient.apple (c188-150-171-209.bredband.tele2.se [188.150.171.209]) (authenticated bits=0) by mail264c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 32B9PZpb091093; Sat, 11 Mar 2023 09:25:36 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.14\)) Subject: Re: bug#62039: Emacs crashes while parsing a long Emacs Lisp string From: =?utf-8?Q?Mattias_Engdeg=C3=A5rd?= In-Reply-To: <1522E223-3EB8-478A-9585-17A239F23434@acm.org> Date: Sat, 11 Mar 2023 10:25:34 +0100 Content-Transfer-Encoding: 7bit Message-Id: <3624E3C3-1A2F-46A8-9C3B-0AB3CC7E5EC8@acm.org> References: <1522E223-3EB8-478A-9585-17A239F23434@acm.org> To: Bruno Haible X-Mailer: Apple Mail (2.3654.120.0.1.14) X-VADE-SPAMSTATE: clean X-VADE-SPAMSCORE: -100 X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvhedrvdduledgudeftdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfjqffuvffqrffktedpqfgfvfdpgffpggdqveehtdenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtjehmtdhhtddvnecuhfhrohhmpeforghtthhirghsucfgnhhguggvghonrhguuceomhgrthhtihgrshgvsegrtghmrdhorhhgqeenucggtffrrghtthgvrhhnpefgueefleetudevvdekvedvhfegheejvdejieegvddufeehgeffjedufeejhfejffenucfkphepudekkedrudehtddrudejuddrvddtleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedukeekrdduhedtrddujedurddvtdelpdhhvghlohepshhmthhptghlihgvnhhtrdgrphhplhgvpdhmrghilhhfrhhomhepmhgrthhtihgrshgvsegrtghmrdhorhhgpdhnsggprhgtphhtthhopedvpdhrtghpthhtohepsghruhhnohestghlihhsphdrohhrghdprhgtphhtthhopeeivddtfeelqdguohhnvgesuggvsggsuhhgshdrghhnuhdrohhrgh X-Origin-Country: SE X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 62039-done Cc: 62039-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Now fixed on master. Thanks again for the report. ------------=_1678526762-29093-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 7 Mar 2023 21:52:06 +0000 Received: from localhost ([127.0.0.1]:47313 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZfE5-0007d6-ND for submit@debbugs.gnu.org; Tue, 07 Mar 2023 16:52:05 -0500 Received: from lists.gnu.org ([209.51.188.17]:46588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZfE3-0007cy-W7 for submit@debbugs.gnu.org; Tue, 07 Mar 2023 16:52:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZfE3-0001Lt-JQ for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:52:03 -0500 Received: from mo4-p00-ob.smtp.rzone.de ([85.215.255.20]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZfE1-0005Xs-Cp for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 16:52:03 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1678225918; cv=none; d=strato.com; s=strato-dkim-0002; b=iY4fQcQXv3JAwj10Ar103jJofKScVQOzux6cZhuY9kdHdGOOlBkFWzfwgKKy3Jm0JT zm+eDkQJGWvr8mIJPGEZlWinPF7clEA4e7NQF+8ddtFw4SpGxP+NIqeAxaXfjWuZibMU c6whQJUB9MWB1ooq85D/E/oxOmyy7zVcPytAdUSqRZ4i0E3Wyg7kv16FNBzEnQ/EyD/V 2v7e0mz+IwaEb0h2XmJ1IS1zuHWjpYJ8VS11yvUpr50eeSC5F/I+nQjORwUR07JB5Qut PyOF+zfgJu82Tl4+TBx44oqopOTQqip4ib0SXLRMiEneqNxDsCJ9PdsPpRDLfnsnvb9x MlBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1678225918; s=strato-dkim-0002; d=strato.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=kLLDj05Dr479mN02rq7NsoCJiBA/5Twh4HMhBJ/M3jM=; b=rMco/2W/4DQEdF8Q7PH+Wvddnt9J0sUbaBIBptw7D4ZYjzk49UsAT6zmI+YSelYiXQ TkhcKGSwgktcIny3NN9RWulHIk5yYCCkfKrQkujSLyK1UnvTEAbIjDqwtC0rM6SLEOsj vT58S7zumwwidPndhlXvwjl6PE9xSH4k9ax14Mj1oc3bI1RJs08QpfNmWAzfNusaadPz b76Muvo0WqTjXSMeMjiudR5pkT0rnaSBIwGw67qy9hncONjM0DEac2i1ObkuqQUm8Cuy MoSMvoutzxeSL/jHhHjyokG5ZerHm4Davan8/mxs0BSk/ndJVp98vmccn3IIIJBfdRvp CQ/g== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1678225918; s=strato-dkim-0002; d=clisp.org; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=kLLDj05Dr479mN02rq7NsoCJiBA/5Twh4HMhBJ/M3jM=; b=oHegspyN2bS7Y5FJbM6CGR6VrIJFz9QUotMz8FwA+9Fr3FoN++IkwdC4N3cD5362k8 5tFhGg5+ZKNN0zbZxwSzco0EAMu/w+JrsnZ8AyroPyJVEzsTKOTBHrqejntIMcLR8WVd Av6g/ya1jQJGAWSw4g0ukV5Wzlx17IKrntG6/HmqGORR934bzRFaP32Lpb4lgYIcYzXW 2bQrqBKW/2jOXAEERp7Qnz+IUbsdflzhGlikDW56FDrSOUM1/gFtIuq43l5gdZAv0881 vE/YsNAEd8U66xDlfS0bo6lyAbuQVPcr1Ot6Y81F4HkOw9JzDAiKDBMYhqooRcMwtnqd JHCQ== X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH0WWb0LN8XZoH94zq68+3cfpOS3fFrz+Ge84VQq/IAw45VSGM0YQ==" Received: from nimes.localnet by smtp.strato.de (RZmta 49.3.0 AUTH) with ESMTPSA id Yddb27z27LpwraR (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Tue, 7 Mar 2023 22:51:58 +0100 (CET) From: Bruno Haible To: bug-gnu-emacs@gnu.org Subject: Emacs crashes while parsing a long Emacs Lisp string Date: Tue, 07 Mar 2023 22:51:58 +0100 Message-ID: <5401235.PpUMLH0tvb@nimes> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="nextPart3618741.tvv3v5Dze1" Content-Transfer-Encoding: 7Bit Received-SPF: none client-ip=85.215.255.20; envelope-from=bruno@clisp.org; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --nextPart3618741.tvv3v5Dze1 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" When parsing a particular long Emacs Lisp string, Emacs crashes. How to reproduce: $ emacs -Q -batch -f batch-byte-compile foo.el Segmentation fault Find attached the compressed file foo.el. Emacs version: 27.1 Platform: x86_64-linux-gnu $ ulimit -a | grep stack stack size (kbytes, -s) 8192 According to the documentation https://www.gnu.org/software/emacs/manual/html_node/emacs/Bug-Criteria.html any segmentation fault is a bug. I haven't analyzed the security impact of this bug, but it is quite possible that emacs receives a string through the network, and even though the string is not meant to be evaluated, simply parsing it causes a denial-of-service to the emacs user. The cause of the bug is that in emacs/src/lread.c the function read_escape() is recursive, and no bound on the recursion depth is enforced. --nextPart3618741.tvv3v5Dze1 Content-Disposition: attachment; filename="foo.el.gz" Content-Transfer-Encoding: base64 Content-Type: application/gzip; name="foo.el.gz" H4sICM6tB2QCA2Zvby5lbADtwjENAAAIA7AfGdNFePDvASE0bXoAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAH7b1AFbfYdzBKAPAA== --nextPart3618741.tvv3v5Dze1-- ------------=_1678526762-29093-1--