GNU bug report logs - #8318
int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP

Previous Next

Package: emacs;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Tue, 22 Mar 2011 09:14:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: bug-gnu-emacs <at> gnu.org
Subject: int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP
Date: Tue, 22 Mar 2011 02:12:52 -0700

The SAFE_ALLOCA macro assumes that adding 1 to the integer
variable sa_must_free cannot overflow, but this assumption
is incorrect in some cases.  I plan to commit the following
patch to fix this.

I found this bug using gcc 4.5.2 -O2 -Wstrict-overflow.

* lisp.h (SAFE_ALLOCA, SAFE_ALLOCA_LISP): Avoid 'int' overflow
leading to a memory leak, possible in functions like
load_charset_map_from_file that can allocate an unbounded number
of objects.
=== modified file 'src/lisp.h'
--- src/lisp.h	2011-03-18 04:58:44 +0000
+++ src/lisp.h	2011-03-22 09:04:53 +0000
@@ -3602,7 +3602,7 @@
     else						  \
       {							  \
 	buf = (type) xmalloc (size);			  \
-	sa_must_free++;					  \
+	sa_must_free = 1;				  \
 	record_unwind_protect (safe_alloca_unwind,	  \
 			       make_save_value (buf, 0)); \
       }							  \
@@ -3632,7 +3632,7 @@
 	buf = (Lisp_Object *) xmalloc (size_);		  \
 	arg_ = make_save_value (buf, nelt);		  \
 	XSAVE_VALUE (arg_)->dogc = 1;			  \
-	sa_must_free++;					  \
+	sa_must_free = 1;				  \
 	record_unwind_protect (safe_alloca_unwind, arg_); \
       }							  \
   } while (0)
This bug report was last modified 14 years and 62 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.