GNU bug report logs - #8318
int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP

Previous Next

Package: emacs;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Tue, 22 Mar 2011 09:14:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#8318: closed (int overflow problem in SAFE_ALLOCA,
 SAFE_ALLOCA_LISP)
Date: Wed, 23 Mar 2011 22:07:13 +0000

[Message part 1 (text/plain, inline)]
Your message dated Wed, 23 Mar 2011 15:06:46 -0700
with message-id <4D8A6EF6.6010006 <at> cs.ucla.edu>
and subject line fix merged to trunk
has caused the GNU bug report #8318,
regarding int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
8318: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=8318
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: bug-gnu-emacs <at> gnu.org
Subject: int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP
Date: Tue, 22 Mar 2011 02:12:52 -0700

The SAFE_ALLOCA macro assumes that adding 1 to the integer
variable sa_must_free cannot overflow, but this assumption
is incorrect in some cases.  I plan to commit the following
patch to fix this.

I found this bug using gcc 4.5.2 -O2 -Wstrict-overflow.

* lisp.h (SAFE_ALLOCA, SAFE_ALLOCA_LISP): Avoid 'int' overflow
leading to a memory leak, possible in functions like
load_charset_map_from_file that can allocate an unbounded number
of objects.
=== modified file 'src/lisp.h'
--- src/lisp.h	2011-03-18 04:58:44 +0000
+++ src/lisp.h	2011-03-22 09:04:53 +0000
@@ -3602,7 +3602,7 @@
     else						  \
       {							  \
 	buf = (type) xmalloc (size);			  \
-	sa_must_free++;					  \
+	sa_must_free = 1;				  \
 	record_unwind_protect (safe_alloca_unwind,	  \
 			       make_save_value (buf, 0)); \
       }							  \
@@ -3632,7 +3632,7 @@
 	buf = (Lisp_Object *) xmalloc (size_);		  \
 	arg_ = make_save_value (buf, nelt);		  \
 	XSAVE_VALUE (arg_)->dogc = 1;			  \
-	sa_must_free++;					  \
+	sa_must_free = 1;				  \
 	record_unwind_protect (safe_alloca_unwind, arg_); \
       }							  \
   } while (0)




[Message part 3 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: 8310-done <at> debbugs.gnu.org, 8318-done <at> debbugs.gnu.org, 
	8306-done <at> debbugs.gnu.org, 8303-done <at> debbugs.gnu.org, 
	8277-done <at> debbugs.gnu.org, 8298-done <at> debbugs.gnu.org, 
	8290-done <at> debbugs.gnu.org, 8278-done <at> debbugs.gnu.org
Subject: fix merged to trunk
Date: Wed, 23 Mar 2011 15:06:46 -0700

I committed a fix to the trunk for this,
as part of a recent merge (bzr 103721).
This bug report was last modified 14 years and 62 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.