From unknown Fri Aug 15 04:02:41 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#8318 <8318@debbugs.gnu.org> To: bug#8318 <8318@debbugs.gnu.org> Subject: Status: int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP Reply-To: bug#8318 <8318@debbugs.gnu.org> Date: Fri, 15 Aug 2025 11:02:41 +0000 retitle 8318 int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP reassign 8318 emacs submitter 8318 Paul Eggert severity 8318 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 22 05:13:14 2011 Received: (at submit) by debbugs.gnu.org; 22 Mar 2011 09:13:15 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q1xeL-0004OU-Sz for submit@debbugs.gnu.org; Tue, 22 Mar 2011 05:13:14 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q1xeJ-0004OH-Mu for submit@debbugs.gnu.org; Tue, 22 Mar 2011 05:13:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q1xeD-0001xs-B7 for submit@debbugs.gnu.org; Tue, 22 Mar 2011 05:13:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([199.232.76.165]:55122) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q1xeD-0001xo-7C for submit@debbugs.gnu.org; Tue, 22 Mar 2011 05:13:05 -0400 Received: from [140.186.70.92] (port=50848 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q1xeA-0003PY-T1 for bug-gnu-emacs@gnu.org; Tue, 22 Mar 2011 05:13:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q1xe9-0001wc-Ta for bug-gnu-emacs@gnu.org; Tue, 22 Mar 2011 05:13:02 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:53391) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q1xe9-0001vk-OG for bug-gnu-emacs@gnu.org; Tue, 22 Mar 2011 05:13:01 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 9B1EE39E80DB for ; Tue, 22 Mar 2011 02:12:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnfHgj2uEIAb for ; Tue, 22 Mar 2011 02:12:59 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 15C2F39E8083 for ; Tue, 22 Mar 2011 02:12:59 -0700 (PDT) Message-ID: <4D886814.4000008@cs.ucla.edu> Date: Tue, 22 Mar 2011 02:12:52 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 MIME-Version: 1.0 To: bug-gnu-emacs@gnu.org Subject: int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 199.232.76.165 X-Spam-Score: -4.7 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.7 (----) The SAFE_ALLOCA macro assumes that adding 1 to the integer variable sa_must_free cannot overflow, but this assumption is incorrect in some cases. I plan to commit the following patch to fix this. I found this bug using gcc 4.5.2 -O2 -Wstrict-overflow. * lisp.h (SAFE_ALLOCA, SAFE_ALLOCA_LISP): Avoid 'int' overflow leading to a memory leak, possible in functions like load_charset_map_from_file that can allocate an unbounded number of objects. === modified file 'src/lisp.h' --- src/lisp.h 2011-03-18 04:58:44 +0000 +++ src/lisp.h 2011-03-22 09:04:53 +0000 @@ -3602,7 +3602,7 @@ else \ { \ buf = (type) xmalloc (size); \ - sa_must_free++; \ + sa_must_free = 1; \ record_unwind_protect (safe_alloca_unwind, \ make_save_value (buf, 0)); \ } \ @@ -3632,7 +3632,7 @@ buf = (Lisp_Object *) xmalloc (size_); \ arg_ = make_save_value (buf, nelt); \ XSAVE_VALUE (arg_)->dogc = 1; \ - sa_must_free++; \ + sa_must_free = 1; \ record_unwind_protect (safe_alloca_unwind, arg_); \ } \ } while (0) From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 23 18:07:01 2011 Received: (at 8318-done) by debbugs.gnu.org; 23 Mar 2011 22:07:03 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q2WCj-0007vD-Ki for submit@debbugs.gnu.org; Wed, 23 Mar 2011 18:07:01 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q2WCb-0007uA-KO; Wed, 23 Mar 2011 18:06:54 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 7955339E80F5; Wed, 23 Mar 2011 15:06:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCQ03AM5OnEs; Wed, 23 Mar 2011 15:06:47 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 2047839E80B1; Wed, 23 Mar 2011 15:06:47 -0700 (PDT) Message-ID: <4D8A6EF6.6010006@cs.ucla.edu> Date: Wed, 23 Mar 2011 15:06:46 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110307 Fedora/3.1.9-0.39.b3pre.fc14 Thunderbird/3.1.9 MIME-Version: 1.0 To: 8310-done@debbugs.gnu.org, 8318-done@debbugs.gnu.org, 8306-done@debbugs.gnu.org, 8303-done@debbugs.gnu.org, 8277-done@debbugs.gnu.org, 8298-done@debbugs.gnu.org, 8290-done@debbugs.gnu.org, 8278-done@debbugs.gnu.org Subject: fix merged to trunk Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.3 (---) X-Debbugs-Envelope-To: 8318-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.2 (---) I committed a fix to the trunk for this, as part of a recent merge (bzr 103721). From unknown Fri Aug 15 04:02:41 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 21 Apr 2011 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator