GNU bug report logs - #8318
int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP

Previous Next

Package: emacs;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Tue, 22 Mar 2011 09:14:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 8318 in the body.
You can then email your comments to 8318 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#8318; Package emacs. (Tue, 22 Mar 2011 09:14:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Paul Eggert <eggert <at> cs.ucla.edu>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Tue, 22 Mar 2011 09:14:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: bug-gnu-emacs <at> gnu.org
Subject: int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP
Date: Tue, 22 Mar 2011 02:12:52 -0700

The SAFE_ALLOCA macro assumes that adding 1 to the integer
variable sa_must_free cannot overflow, but this assumption
is incorrect in some cases.  I plan to commit the following
patch to fix this.

I found this bug using gcc 4.5.2 -O2 -Wstrict-overflow.

* lisp.h (SAFE_ALLOCA, SAFE_ALLOCA_LISP): Avoid 'int' overflow
leading to a memory leak, possible in functions like
load_charset_map_from_file that can allocate an unbounded number
of objects.
=== modified file 'src/lisp.h'
--- src/lisp.h	2011-03-18 04:58:44 +0000
+++ src/lisp.h	2011-03-22 09:04:53 +0000
@@ -3602,7 +3602,7 @@
     else						  \
       {							  \
 	buf = (type) xmalloc (size);			  \
-	sa_must_free++;					  \
+	sa_must_free = 1;				  \
 	record_unwind_protect (safe_alloca_unwind,	  \
 			       make_save_value (buf, 0)); \
       }							  \
@@ -3632,7 +3632,7 @@
 	buf = (Lisp_Object *) xmalloc (size_);		  \
 	arg_ = make_save_value (buf, nelt);		  \
 	XSAVE_VALUE (arg_)->dogc = 1;			  \
-	sa_must_free++;					  \
+	sa_must_free = 1;				  \
 	record_unwind_protect (safe_alloca_unwind, arg_); \
       }							  \
   } while (0)
Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Wed, 23 Mar 2011 22:07:13 GMT) Full text and rfc822 format available.
Notification sent to Paul Eggert <eggert <at> cs.ucla.edu>:
bug acknowledged by developer. (Wed, 23 Mar 2011 22:07:13 GMT) Full text and rfc822 format available.

Message #10 received at 8318-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: 8310-done <at> debbugs.gnu.org, 8318-done <at> debbugs.gnu.org, 
	8306-done <at> debbugs.gnu.org, 8303-done <at> debbugs.gnu.org, 
	8277-done <at> debbugs.gnu.org, 8298-done <at> debbugs.gnu.org, 
	8290-done <at> debbugs.gnu.org, 8278-done <at> debbugs.gnu.org
Subject: fix merged to trunk
Date: Wed, 23 Mar 2011 15:06:46 -0700

I committed a fix to the trunk for this,
as part of a recent merge (bzr 103721).
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 21 Apr 2011 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 14 years and 62 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.