GNU bug report logs - #79156
igc: igc_xpalloc_ambig SEGV

Previous Next

Package: emacs;

Reported by: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Date: Sat, 2 Aug 2025 15:28:01 UTC

Severity: normal

Fixed in version 31.1

Done: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Pip Cet <pipcet <at> protonmail.com>
Cc: gerd.moellmann <at> gmail.com, eller.helmut <at> gmail.com, 79156 <at> debbugs.gnu.org
Subject: bug#79156: igc: igc_xpalloc_ambig SEGV
Date: Sat, 02 Aug 2025 19:27:27 +0300

> Cc: Helmut Eller <eller.helmut <at> gmail.com>, 79156 <at> debbugs.gnu.org
> Date: Sat, 02 Aug 2025 16:00:23 +0000
> From:  Pip Cet via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs <at> gnu.org>
> 
> Gerd Möllmann <gerd.moellmann <at> gmail.com> writes:
> 
> > We have
> >
> > igc.c:
> >  3465 void *
> >  3466 igc_xpalloc_ambig (void *old_pa, ptrdiff_t *nitems, ptrdiff_t nitems_incr_min,
> >  3467                    ptrdiff_t nitems_max, ptrdiff_t item_size)
> >  3468 {
> >  3469   ptrdiff_t old_nitems = *nitems;
> >
> > and igc_xpalloc_ambig is called here with a NULL old_pa, and non-zero
> > new_size:
> >
> > charset.c:
> >  1135           struct charset *new_table =
> >  1136 #ifdef HAVE_MPS
> >  1137             igc_xpalloc_ambig
> >  1138 #else
> >  1139             xpalloc
> >  1140 #endif
> >  1141             (0, &new_size, 1,
> >  1142              min (INT_MAX, MOST_POSITIVE_FIXNUM),
> >  1143              sizeof *charset_table);
> >
> > In this case, this loop deferences a null pointer.
> >
> > igc.c:
> >  3477   mps_word_t *new_word = new_pa;
> >  3478   for (ptrdiff_t i = 0; i < (old_nitems * item_size) / sizeof (mps_word_t); i++)
> >  3479     new_word[i] = old_word[i];
> >
> > This apparently currently never happens in feature/igc, but it could,
> > and it does when using igc with emacs-mac's mac-win.el which defines
> > charsets.
> 
> Ouch. That seems to me to be a bug in how charset.c calls xpalloc, but
> I'm not sure whether there are other callers that rely on this behavior,
> so it's safest to work around it.

xpalloc handles this case:

  if (! pa)
    *nitems = 0;

Regarding the code in charset.c, it happened when xpalloc was added
there, see commit 0065d05491ce.  The original code called xmalloc and
then copied the table.  The FIXME comment at the end of the block
tries to explain why the obvious solution of passing &charset_table as
the first argument to xpalloc was not taken: we were not sure this is
not on purpose.
This bug report was last modified 9 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.