GNU bug report logs - #62039
Emacs crashes while parsing a long Emacs Lisp string

Previous Next

Package: emacs;

Reported by: Bruno Haible <bruno <at> clisp.org>

Date: Tue, 7 Mar 2023 21:53:01 UTC

Severity: normal

Done: Mattias Engdegård <mattiase <at> acm.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Bruno Haible <bruno <at> clisp.org>
To: 62039 <at> debbugs.gnu.org
Subject: bug#62039: Emacs crashes while parsing a long Emacs Lisp string
Date: Tue, 07 Mar 2023 22:51:58 +0100

[Message part 1 (text/plain, inline)]

When parsing a particular long Emacs Lisp string, Emacs crashes.

How to reproduce:

$ emacs -Q -batch -f batch-byte-compile foo.el
Segmentation fault

Find attached the compressed file foo.el.

Emacs version: 27.1
Platform: x86_64-linux-gnu
$ ulimit -a | grep stack
stack size                  (kbytes, -s) 8192

According to the documentation
https://www.gnu.org/software/emacs/manual/html_node/emacs/Bug-Criteria.html
any segmentation fault is a bug.

I haven't analyzed the security impact of this bug, but it is quite possible
that emacs receives a string through the network, and even though the string
is not meant to be evaluated, simply parsing it causes a denial-of-service
to the emacs user.

The cause of the bug is that in emacs/src/lread.c the function read_escape()
is recursive, and no bound on the recursion depth is enforced.

[foo.el.gz (application/gzip, attachment)]

This bug report was last modified 2 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #62039 Emacs crashes while parsing a long Emacs Lisp string

GNU bug report logs - #62039
Emacs crashes while parsing a long Emacs Lisp string