GNU bug report logs - #8318
int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP

Previous Next

Package: emacs;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Tue, 22 Mar 2011 09:14:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Eggert <eggert <at> cs.ucla.edu>
Subject: bug#8318: closed (fix merged to trunk)
Date: Wed, 23 Mar 2011 22:07:13 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#8318: int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 8318 <at> debbugs.gnu.org.

-- 
8318: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=8318
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: 8310-done <at> debbugs.gnu.org, 8318-done <at> debbugs.gnu.org, 
	8306-done <at> debbugs.gnu.org, 8303-done <at> debbugs.gnu.org, 
	8277-done <at> debbugs.gnu.org, 8298-done <at> debbugs.gnu.org, 
	8290-done <at> debbugs.gnu.org, 8278-done <at> debbugs.gnu.org
Subject: fix merged to trunk
Date: Wed, 23 Mar 2011 15:06:46 -0700

I committed a fix to the trunk for this,
as part of a recent merge (bzr 103721).


[Message part 3 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: bug-gnu-emacs <at> gnu.org
Subject: int overflow problem in SAFE_ALLOCA, SAFE_ALLOCA_LISP
Date: Tue, 22 Mar 2011 02:12:52 -0700

The SAFE_ALLOCA macro assumes that adding 1 to the integer
variable sa_must_free cannot overflow, but this assumption
is incorrect in some cases.  I plan to commit the following
patch to fix this.

I found this bug using gcc 4.5.2 -O2 -Wstrict-overflow.

* lisp.h (SAFE_ALLOCA, SAFE_ALLOCA_LISP): Avoid 'int' overflow
leading to a memory leak, possible in functions like
load_charset_map_from_file that can allocate an unbounded number
of objects.
=== modified file 'src/lisp.h'
--- src/lisp.h	2011-03-18 04:58:44 +0000
+++ src/lisp.h	2011-03-22 09:04:53 +0000
@@ -3602,7 +3602,7 @@
     else						  \
       {							  \
 	buf = (type) xmalloc (size);			  \
-	sa_must_free++;					  \
+	sa_must_free = 1;				  \
 	record_unwind_protect (safe_alloca_unwind,	  \
 			       make_save_value (buf, 0)); \
       }							  \
@@ -3632,7 +3632,7 @@
 	buf = (Lisp_Object *) xmalloc (size_);		  \
 	arg_ = make_save_value (buf, nelt);		  \
 	XSAVE_VALUE (arg_)->dogc = 1;			  \
-	sa_must_free++;					  \
+	sa_must_free = 1;				  \
 	record_unwind_protect (safe_alloca_unwind, arg_); \
       }							  \
   } while (0)
This bug report was last modified 14 years and 62 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.