From unknown Fri Sep 05 11:52:32 2025 X-Loop: help-debbugs@gnu.org Subject: bug#8335: buffer overrun in (x-change-window-property "FOO" '(0 bad)) Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 24 Mar 2011 01:15:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 8335 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 8335@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.130092926623476 (code B ref -1); Thu, 24 Mar 2011 01:15:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Mar 2011 01:14:26 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q2Z85-00066a-7f for submit@debbugs.gnu.org; Wed, 23 Mar 2011 21:14:25 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q2Z82-00066O-PW for submit@debbugs.gnu.org; Wed, 23 Mar 2011 21:14:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q2Z7w-0000fr-KA for submit@debbugs.gnu.org; Wed, 23 Mar 2011 21:14:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([199.232.76.165]:51190) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q2Z7w-0000fn-Hx for submit@debbugs.gnu.org; Wed, 23 Mar 2011 21:14:16 -0400 Received: from [140.186.70.92] (port=41854 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q2Z7v-0008Tx-DC for bug-gnu-emacs@gnu.org; Wed, 23 Mar 2011 21:14:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q2Z7u-0000fR-2m for bug-gnu-emacs@gnu.org; Wed, 23 Mar 2011 21:14:15 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:47423) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q2Z7t-0000e8-N3 for bug-gnu-emacs@gnu.org; Wed, 23 Mar 2011 21:14:14 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 5639D39E80E0 for ; Wed, 23 Mar 2011 18:14:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLus3hiAN5U8 for ; Wed, 23 Mar 2011 18:14:03 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id B30E839E80B1 for ; Wed, 23 Mar 2011 18:14:03 -0700 (PDT) Message-ID: <4D8A9AD5.5090801@cs.ucla.edu> Date: Wed, 23 Mar 2011 18:13:57 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 199.232.76.165 X-Spam-Score: -4.7 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.7 (----) src/xselect.c's function x_check_property_data has a coding error, in that it never reports an error. This can lead to corrupted memory. For example, the Lisp code (x-change-window-property "FOO" '(0 bad)) internally does an malloc (0) and then stores through the resulting pointer. This bug was found by static analysis, using gcc -Wstrict-overflow (GCC 4.5.2, x86-64). I plan to fix it with the following patch. * xselect.c (x_check_property_data): Don't return wrong size. === modified file 'src/xselect.c' --- src/xselect.c 2011-03-10 01:36:58 +0000 +++ src/xselect.c 2011-03-24 01:04:41 +0000 @@ -2190,7 +2190,8 @@ ***********************************************************************/ /* Check that lisp values are of correct type for x_fill_property_data. That is, number, string or a cons with two numbers (low and high 16 - bit parts of a 32 bit number). */ + bit parts of a 32 bit number). Return the number of items in DATA, + or -1 if there is an error. */ int x_check_property_data (Lisp_Object data) @@ -2198,15 +2199,16 @@ Lisp_Object iter; int size = 0; - for (iter = data; CONSP (iter) && size != -1; iter = XCDR (iter), ++size) + for (iter = data; CONSP (iter); iter = XCDR (iter)) { Lisp_Object o = XCAR (iter); if (! NUMBERP (o) && ! STRINGP (o) && ! CONSP (o)) - size = -1; + return -1; else if (CONSP (o) && (! NUMBERP (XCAR (o)) || ! NUMBERP (XCDR (o)))) - size = -1; + return -1; + size++; } return size; From unknown Fri Sep 05 11:52:32 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Paul Eggert Subject: bug#8335: closed (fix merged to trunk) Message-ID: References: <4D927EFF.1080308@cs.ucla.edu> <4D8A9AD5.5090801@cs.ucla.edu> X-Gnu-PR-Message: they-closed 8335 X-Gnu-PR-Package: emacs Reply-To: 8335@debbugs.gnu.org Date: Wed, 30 Mar 2011 00:54:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1301446442-24875-1" This is a multi-part message in MIME format... ------------=_1301446442-24875-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #8335: buffer overrun in (x-change-window-property "FOO" '(0 bad)) which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 8335@debbugs.gnu.org. --=20 8335: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D8335 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1301446442-24875-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 8335-done) by debbugs.gnu.org; 30 Mar 2011 00:53:30 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q4jf7-0006SI-8j for submit@debbugs.gnu.org; Tue, 29 Mar 2011 20:53:29 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q4jf4-0006Ry-UF; Tue, 29 Mar 2011 20:53:28 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id C1DA939E80B1; Tue, 29 Mar 2011 17:53:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5He4GRcvXQ8I; Tue, 29 Mar 2011 17:53:20 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 6490139E8083; Tue, 29 Mar 2011 17:53:20 -0700 (PDT) Message-ID: <4D927EFF.1080308@cs.ucla.edu> Date: Tue, 29 Mar 2011 17:53:19 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 MIME-Version: 1.0 To: 8344-done@debbugs.gnu.org, 8336-done@debbugs.gnu.org, 8335-done@debbugs.gnu.org Subject: fix merged to trunk Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.0 (---) X-Debbugs-Envelope-To: 8335-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.0 (---) I committed a fix to the trunk for this, as part of a recent merge (bzr 103776). For Bug#8344, the merge uses size_t rather than EMACS_INT for argument counts as I proposed earlier, since the argument counts are always nonnegative and are limited just by sizes that can be counted at the C level. ------------=_1301446442-24875-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 24 Mar 2011 01:14:26 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q2Z85-00066a-7f for submit@debbugs.gnu.org; Wed, 23 Mar 2011 21:14:25 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Q2Z82-00066O-PW for submit@debbugs.gnu.org; Wed, 23 Mar 2011 21:14:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q2Z7w-0000fr-KA for submit@debbugs.gnu.org; Wed, 23 Mar 2011 21:14:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([199.232.76.165]:51190) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q2Z7w-0000fn-Hx for submit@debbugs.gnu.org; Wed, 23 Mar 2011 21:14:16 -0400 Received: from [140.186.70.92] (port=41854 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q2Z7v-0008Tx-DC for bug-gnu-emacs@gnu.org; Wed, 23 Mar 2011 21:14:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q2Z7u-0000fR-2m for bug-gnu-emacs@gnu.org; Wed, 23 Mar 2011 21:14:15 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:47423) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q2Z7t-0000e8-N3 for bug-gnu-emacs@gnu.org; Wed, 23 Mar 2011 21:14:14 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 5639D39E80E0 for ; Wed, 23 Mar 2011 18:14:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLus3hiAN5U8 for ; Wed, 23 Mar 2011 18:14:03 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id B30E839E80B1 for ; Wed, 23 Mar 2011 18:14:03 -0700 (PDT) Message-ID: <4D8A9AD5.5090801@cs.ucla.edu> Date: Wed, 23 Mar 2011 18:13:57 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 MIME-Version: 1.0 To: bug-gnu-emacs@gnu.org Subject: buffer overrun in (x-change-window-property "FOO" '(0 bad)) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 199.232.76.165 X-Spam-Score: -4.7 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.7 (----) src/xselect.c's function x_check_property_data has a coding error, in that it never reports an error. This can lead to corrupted memory. For example, the Lisp code (x-change-window-property "FOO" '(0 bad)) internally does an malloc (0) and then stores through the resulting pointer. This bug was found by static analysis, using gcc -Wstrict-overflow (GCC 4.5.2, x86-64). I plan to fix it with the following patch. * xselect.c (x_check_property_data): Don't return wrong size. === modified file 'src/xselect.c' --- src/xselect.c 2011-03-10 01:36:58 +0000 +++ src/xselect.c 2011-03-24 01:04:41 +0000 @@ -2190,7 +2190,8 @@ ***********************************************************************/ /* Check that lisp values are of correct type for x_fill_property_data. That is, number, string or a cons with two numbers (low and high 16 - bit parts of a 32 bit number). */ + bit parts of a 32 bit number). Return the number of items in DATA, + or -1 if there is an error. */ int x_check_property_data (Lisp_Object data) @@ -2198,15 +2199,16 @@ Lisp_Object iter; int size = 0; - for (iter = data; CONSP (iter) && size != -1; iter = XCDR (iter), ++size) + for (iter = data; CONSP (iter); iter = XCDR (iter)) { Lisp_Object o = XCAR (iter); if (! NUMBERP (o) && ! STRINGP (o) && ! CONSP (o)) - size = -1; + return -1; else if (CONSP (o) && (! NUMBERP (XCAR (o)) || ! NUMBERP (XCDR (o)))) - size = -1; + return -1; + size++; } return size; ------------=_1301446442-24875-1--