GNU bug report logs -
#8335
buffer overrun in (x-change-window-property "FOO" '(0 bad))
Previous Next
Reported by: Paul Eggert <eggert <at> cs.ucla.edu>
Date: Thu, 24 Mar 2011 01:15:02 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 8335 in the body.
You can then email your comments to 8335 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#8335; Package
emacs.
(Thu, 24 Mar 2011 01:15:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Thu, 24 Mar 2011 01:15:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
src/xselect.c's function x_check_property_data has a coding error, in
that it never reports an error. This can lead to corrupted memory.
For example, the Lisp code (x-change-window-property "FOO" '(0 bad))
internally does an malloc (0) and then stores through the resulting
pointer.
This bug was found by static analysis, using gcc -Wstrict-overflow
(GCC 4.5.2, x86-64).
I plan to fix it with the following patch.
* xselect.c (x_check_property_data): Don't return wrong size.
=== modified file 'src/xselect.c'
--- src/xselect.c 2011-03-10 01:36:58 +0000
+++ src/xselect.c 2011-03-24 01:04:41 +0000
@@ -2190,7 +2190,8 @@
***********************************************************************/
/* Check that lisp values are of correct type for x_fill_property_data.
That is, number, string or a cons with two numbers (low and high 16
- bit parts of a 32 bit number). */
+ bit parts of a 32 bit number). Return the number of items in DATA,
+ or -1 if there is an error. */
int
x_check_property_data (Lisp_Object data)
@@ -2198,15 +2199,16 @@
Lisp_Object iter;
int size = 0;
- for (iter = data; CONSP (iter) && size != -1; iter = XCDR (iter), ++size)
+ for (iter = data; CONSP (iter); iter = XCDR (iter))
{
Lisp_Object o = XCAR (iter);
if (! NUMBERP (o) && ! STRINGP (o) && ! CONSP (o))
- size = -1;
+ return -1;
else if (CONSP (o) &&
(! NUMBERP (XCAR (o)) || ! NUMBERP (XCDR (o))))
- size = -1;
+ return -1;
+ size++;
}
return size;
Reply sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility.
(Wed, 30 Mar 2011 00:54:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
bug acknowledged by developer.
(Wed, 30 Mar 2011 00:54:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 8335-done <at> debbugs.gnu.org (full text, mbox):
I committed a fix to the trunk for this,
as part of a recent merge (bzr 103776).
For Bug#8344, the merge uses size_t rather
than EMACS_INT for argument counts as I proposed earlier,
since the argument counts are always nonnegative
and are limited just by sizes that can be counted
at the C level.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 27 Apr 2011 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 14 years and 117 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.