GNU bug report logs - #62039
Emacs crashes while parsing a long Emacs Lisp string

Previous Next

Package: emacs;

Reported by: Bruno Haible <bruno <at> clisp.org>

Date: Tue, 7 Mar 2023 21:53:01 UTC

Severity: normal

Done: Mattias EngdegÄrd <mattiase <at> acm.org>

Bug is archived. No further changes may be made.

Full log


View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Bruno Haible <bruno <at> clisp.org>
Subject: bug#62039: closed (Re: bug#62039: Emacs crashes while parsing a
 long Emacs Lisp string)
Date: Sat, 11 Mar 2023 09:26:02 +0000
[Message part 1 (text/plain, inline)]
Your bug report

#62039: Emacs crashes while parsing a long Emacs Lisp string

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 62039 <at> debbugs.gnu.org.

-- 
62039: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62039
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Mattias EngdegÄrd <mattiase <at> acm.org>
To: Bruno Haible <bruno <at> clisp.org>
Cc: 62039-done <at> debbugs.gnu.org
Subject: Re: bug#62039: Emacs crashes while parsing a long Emacs Lisp string
Date: Sat, 11 Mar 2023 10:25:34 +0100
Now fixed on master. Thanks again for the report.


[Message part 3 (message/rfc822, inline)]
From: Bruno Haible <bruno <at> clisp.org>
To: bug-gnu-emacs <at> gnu.org
Subject: Emacs crashes while parsing a long Emacs Lisp string
Date: Tue, 07 Mar 2023 22:51:58 +0100
[Message part 4 (text/plain, inline)]
When parsing a particular long Emacs Lisp string, Emacs crashes.

How to reproduce:

$ emacs -Q -batch -f batch-byte-compile foo.el
Segmentation fault

Find attached the compressed file foo.el.

Emacs version: 27.1
Platform: x86_64-linux-gnu
$ ulimit -a | grep stack
stack size                  (kbytes, -s) 8192

According to the documentation
https://www.gnu.org/software/emacs/manual/html_node/emacs/Bug-Criteria.html
any segmentation fault is a bug.

I haven't analyzed the security impact of this bug, but it is quite possible
that emacs receives a string through the network, and even though the string
is not meant to be evaluated, simply parsing it causes a denial-of-service
to the emacs user.

The cause of the bug is that in emacs/src/lread.c the function read_escape()
is recursive, and no bound on the recursion depth is enforced.

[foo.el.gz (application/gzip, attachment)]

This bug report was last modified 2 years and 94 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.