From unknown Mon Sep 08 01:50:34 2025 X-Loop: help-debbugs@gnu.org Subject: bug#8719: ccl: add some integer overflow checks Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 23 May 2011 06:54:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 8719 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 8719@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.130613363731610 (code B ref -1); Mon, 23 May 2011 06:54:01 +0000 Received: (at submit) by debbugs.gnu.org; 23 May 2011 06:53:57 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QOP1Y-0008Dn-Ea for submit@debbugs.gnu.org; Mon, 23 May 2011 02:53:57 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QOP1V-0008Da-SX for submit@debbugs.gnu.org; Mon, 23 May 2011 02:53:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QOP1P-0006uR-FV for submit@debbugs.gnu.org; Mon, 23 May 2011 02:53:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:60297) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOP1P-0006uN-Dh for submit@debbugs.gnu.org; Mon, 23 May 2011 02:53:47 -0400 Received: from eggs.gnu.org ([140.186.70.92]:49322) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOP1N-0004sk-VW for bug-gnu-emacs@gnu.org; Mon, 23 May 2011 02:53:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QOP1M-0006u8-4s for bug-gnu-emacs@gnu.org; Mon, 23 May 2011 02:53:45 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:48001) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOP1L-0006sx-IV for bug-gnu-emacs@gnu.org; Mon, 23 May 2011 02:53:44 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 76C81A60002 for ; Sun, 22 May 2011 23:53:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zr2K7cZRSQ-y for ; Sun, 22 May 2011 23:53:33 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 3564BA60001 for ; Sun, 22 May 2011 23:53:33 -0700 (PDT) Message-ID: <4DDA0467.4050205@cs.ucla.edu> Date: Sun, 22 May 2011 23:53:27 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -4.7 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.7 (----) I did a quick pass through ccl.c and found several places where integer overflow could cause problems. Here's a proposed fix for some of the problems. Does anybody have a good suggestion for testing these? I'm no expert in CCL. ccl: add integer overflow checks * ccl.c (CCL_CODE_MAX, GET_CCL_RANGE, GET_CCL_CODE, GET_CCL_INT): (IN_INT_RANGE): New macros. (ccl_driver): Use them to check for integer overflow when decoding a CCL program. Many of the new checks are whether XINT (x) fits in int; it doesn't always, on 64-bit hosts. The new version doesn't catch all possible integer overflows, but it's an improvement. === modified file 'src/ccl.c' --- src/ccl.c 2011-05-12 07:07:06 +0000 +++ src/ccl.c 2011-05-23 06:46:58 +0000 @@ -98,6 +98,8 @@ and `rrr' are CCL register number, `XXXXX' is one of the following CCL commands. */ +#define CCL_CODE_MAX ((1 << (28 - 1)) - 1) + /* CCL commands Each comment fields shows one or more lines for command syntax and @@ -742,6 +744,24 @@ #endif +#define GET_CCL_RANGE(var, ccl_prog, ic, lo, hi) \ + do \ + { \ + EMACS_INT prog_word = XINT ((ccl_prog)[ic]); \ + if (! ((lo) <= prog_word && prog_word <= (hi))) \ + CCL_INVALID_CMD; \ + (var) = prog_word; \ + } \ + while (0) + +#define GET_CCL_CODE(code, ccl_prog, ic) \ + GET_CCL_RANGE (code, ccl_prog, ic, 0, CCL_CODE_MAX) + +#define GET_CCL_INT(var, ccl_prog, ic) \ + GET_CCL_RANGE (var, ccl_prog, ic, INT_MIN, INT_MAX) + +#define IN_INT_RANGE(val) (INT_MIN <= (val) && (val) <= INT_MAX) + /* Encode one character CH to multibyte form and write to the current output buffer. If CH is less than 256, CH is written as is. */ #define CCL_WRITE_CHAR(ch) \ @@ -899,7 +919,7 @@ } this_ic = ic; - code = XINT (ccl_prog[ic]); ic++; + GET_CCL_CODE (code, ccl_prog, ic++); field1 = code >> 8; field2 = (code & 0xFF) >> 5; @@ -920,15 +940,14 @@ break; case CCL_SetConst: /* 00000000000000000000rrrXXXXX */ - reg[rrr] = XINT (ccl_prog[ic]); - ic++; + GET_CCL_INT (reg[rrr], ccl_prog, ic++); break; case CCL_SetArray: /* CCCCCCCCCCCCCCCCCCCCRRRrrrXXXXX */ i = reg[RRR]; j = field1 >> 3; if ((unsigned int) i < j) - reg[rrr] = XINT (ccl_prog[ic + i]); + GET_CCL_INT (reg[rrr], ccl_prog, ic + i); ic += j; break; @@ -956,13 +975,13 @@ break; case CCL_WriteConstJump: /* A--D--D--R--E--S--S-000XXXXX */ - i = XINT (ccl_prog[ic]); + GET_CCL_INT (i, ccl_prog, ic); CCL_WRITE_CHAR (i); ic += ADDR; break; case CCL_WriteConstReadJump: /* A--D--D--R--E--S--S-rrrXXXXX */ - i = XINT (ccl_prog[ic]); + GET_CCL_INT (i, ccl_prog, ic); CCL_WRITE_CHAR (i); ic++; CCL_READ_CHAR (reg[rrr]); @@ -970,18 +989,17 @@ break; case CCL_WriteStringJump: /* A--D--D--R--E--S--S-000XXXXX */ - j = XINT (ccl_prog[ic]); - ic++; + GET_CCL_INT (j, ccl_prog, ic++); CCL_WRITE_STRING (j); ic += ADDR - 1; break; case CCL_WriteArrayReadJump: /* A--D--D--R--E--S--S-rrrXXXXX */ i = reg[rrr]; - j = XINT (ccl_prog[ic]); + GET_CCL_INT (j, ccl_prog, ic); if ((unsigned int) i < j) { - i = XINT (ccl_prog[ic + 1 + i]); + GET_CCL_INT (i, ccl_prog, ic + 1 + i); CCL_WRITE_CHAR (i); } ic += j + 2; @@ -998,10 +1016,14 @@ CCL_READ_CHAR (reg[rrr]); /* fall through ... */ case CCL_Branch: /* CCCCCCCCCCCCCCCCCCCCrrrXXXXX */ - if ((unsigned int) reg[rrr] < field1) - ic += XINT (ccl_prog[ic + reg[rrr]]); - else - ic += XINT (ccl_prog[ic + field1]); + { + int incr; + GET_CCL_INT (incr, ccl_prog, + ic + ((unsigned int) reg[rrr] < field1 + ? reg[rrr] + : field1)); + ic += incr; + } break; case CCL_ReadRegister: /* CCCCCCCCCCCCCCCCCCCCrrXXXXX */ @@ -1009,7 +1031,7 @@ { CCL_READ_CHAR (reg[rrr]); if (!field1) break; - code = XINT (ccl_prog[ic]); ic++; + GET_CCL_CODE (code, ccl_prog, ic++); field1 = code >> 8; field2 = (code & 0xFF) >> 5; } @@ -1018,7 +1040,7 @@ case CCL_WriteExprConst: /* 1:00000OPERATION000RRR000XXXXX */ rrr = 7; i = reg[RRR]; - j = XINT (ccl_prog[ic]); + GET_CCL_INT (j, ccl_prog, ic); op = field1 >> 6; jump_address = ic + 1; goto ccl_set_expr; @@ -1029,7 +1051,7 @@ i = reg[rrr]; CCL_WRITE_CHAR (i); if (!field1) break; - code = XINT (ccl_prog[ic]); ic++; + GET_CCL_CODE (code, ccl_prog, ic++); field1 = code >> 8; field2 = (code & 0xFF) >> 5; } @@ -1051,10 +1073,7 @@ /* If FFF is nonzero, the CCL program ID is in the following code. */ if (rrr) - { - prog_id = XINT (ccl_prog[ic]); - ic++; - } + GET_CCL_INT (prog_id, ccl_prog, ic++); else prog_id = field1; @@ -1097,7 +1116,7 @@ i = reg[rrr]; if ((unsigned int) i < field1) { - j = XINT (ccl_prog[ic + i]); + GET_CCL_INT (j, ccl_prog, ic + i); CCL_WRITE_CHAR (j); } ic += field1; @@ -1122,8 +1141,7 @@ CCL_SUCCESS; case CCL_ExprSelfConst: /* 00000OPERATION000000rrrXXXXX */ - i = XINT (ccl_prog[ic]); - ic++; + GET_CCL_INT (i, ccl_prog, ic++); op = field1 >> 6; goto ccl_expr_self; @@ -1159,9 +1177,9 @@ case CCL_SetExprConst: /* 00000OPERATION000RRRrrrXXXXX */ i = reg[RRR]; - j = XINT (ccl_prog[ic]); + GET_CCL_INT (j, ccl_prog, ic++); op = field1 >> 6; - jump_address = ++ic; + jump_address = ic; goto ccl_set_expr; case CCL_SetExprReg: /* 00000OPERATIONRrrRRRrrrXXXXX */ @@ -1175,10 +1193,9 @@ CCL_READ_CHAR (reg[rrr]); case CCL_JumpCondExprConst: /* A--D--D--R--E--S--S-rrrXXXXX */ i = reg[rrr]; - op = XINT (ccl_prog[ic]); - jump_address = ic++ + ADDR; - j = XINT (ccl_prog[ic]); - ic++; + jump_address = ic + ADDR; + GET_CCL_INT (op, ccl_prog, ic++); + GET_CCL_INT (j, ccl_prog, ic++); rrr = 7; goto ccl_set_expr; @@ -1186,10 +1203,10 @@ CCL_READ_CHAR (reg[rrr]); case CCL_JumpCondExprReg: i = reg[rrr]; - op = XINT (ccl_prog[ic]); - jump_address = ic++ + ADDR; - j = reg[XINT (ccl_prog[ic])]; - ic++; + jump_address = ic + ADDR; + GET_CCL_INT (op, ccl_prog, ic++); + GET_CCL_RANGE (j, ccl_prog, ic++, 0, 7); + j = reg[j]; rrr = 7; ccl_set_expr: @@ -1267,18 +1284,27 @@ break; case CCL_TranslateCharacterConstTbl: - op = XINT (ccl_prog[ic]); /* table */ - ic++; - i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]); - op = translate_char (GET_TRANSLATION_TABLE (op), i); - CCL_ENCODE_CHAR (op, charset_list, reg[RRR], reg[rrr]); + { + EMACS_INT eop; + GET_CCL_RANGE (eop, ccl_prog, ic++, 0, + (VECTORP (Vtranslation_table_vector) + ? ASIZE (Vtranslation_table_vector) + : -1)); + i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]); + op = translate_char (GET_TRANSLATION_TABLE (eop), i); + CCL_ENCODE_CHAR (op, charset_list, reg[RRR], reg[rrr]); + } break; case CCL_LookupIntConstTbl: - op = XINT (ccl_prog[ic]); /* table */ - ic++; { - struct Lisp_Hash_Table *h = GET_HASH_TABLE (op); + EMACS_INT eop; + struct Lisp_Hash_Table *h; + GET_CCL_RANGE (eop, ccl_prog, ic++, 0, + (VECTORP (Vtranslation_hash_table_vector) + ? ASIZE (Vtranslation_hash_table_vector) + : -1)); + h = GET_HASH_TABLE (eop); op = hash_lookup (h, make_number (reg[RRR]), NULL); if (op >= 0) @@ -1297,18 +1323,22 @@ break; case CCL_LookupCharConstTbl: - op = XINT (ccl_prog[ic]); /* table */ - ic++; - i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]); { - struct Lisp_Hash_Table *h = GET_HASH_TABLE (op); + EMACS_INT eop; + struct Lisp_Hash_Table *h; + GET_CCL_RANGE (eop, ccl_prog, ic++, 0, + (VECTORP (Vtranslation_hash_table_vector) + ? ASIZE (Vtranslation_hash_table_vector) + : -1)); + i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]); + h = GET_HASH_TABLE (eop); op = hash_lookup (h, make_number (i), NULL); if (op >= 0) { Lisp_Object opl; opl = HASH_VALUE (h, op); - if (!INTEGERP (opl)) + if (! (INTEGERP (opl) && IN_INT_RANGE (XINT (opl)))) CCL_INVALID_CMD; reg[RRR] = XINT (opl); reg[7] = 1; /* r7 true for success */ @@ -1321,9 +1351,10 @@ case CCL_IterateMultipleMap: { Lisp_Object map, content, attrib, value; - int point, size, fin_ic; + EMACS_INT point, size; + int fin_ic; - j = XINT (ccl_prog[ic++]); /* number of maps. */ + GET_CCL_INT (j, ccl_prog, ic++); /* number of maps. */ fin_ic = ic + j; op = reg[rrr]; if ((j > reg[RRR]) && (j >= 0)) @@ -1343,7 +1374,7 @@ size = ASIZE (Vcode_conversion_map_vector); point = XINT (ccl_prog[ic++]); - if (point >= size) continue; + if (! (0 <= point && point < size)) continue; map = AREF (Vcode_conversion_map_vector, point); /* Check map validity. */ @@ -1358,18 +1389,19 @@ /* check map type, [STARTPOINT VAL1 VAL2 ...] or [t ELEMENT STARTPOINT ENDPOINT] */ - if (NUMBERP (content)) + if (INTEGERP (content)) { - point = XUINT (content); - point = op - point + 1; - if (!((point >= 1) && (point < size))) continue; - content = AREF (map, point); + point = XINT (content); + if (!(point <= op && op - point + 1 < size)) continue; + content = AREF (map, op - point + 1); } else if (EQ (content, Qt)) { if (size != 4) continue; - if ((op >= XUINT (AREF (map, 2))) - && (op < XUINT (AREF (map, 3)))) + if (INTEGERP (AREF (map, 2)) + && XINT (AREF (map, 2)) <= op + && INTEGERP (AREF (map, 3)) + && op < XINT (AREF (map, 3))) content = AREF (map, 1); else continue; @@ -1379,7 +1411,7 @@ if (NILP (content)) continue; - else if (NUMBERP (content)) + else if (INTEGERP (content) && IN_INT_RANGE (XINT (content))) { reg[RRR] = i; reg[rrr] = XINT(content); @@ -1394,10 +1426,11 @@ { attrib = XCAR (content); value = XCDR (content); - if (!NUMBERP (attrib) || !NUMBERP (value)) + if (! (INTEGERP (attrib) && INTEGERP (value) + && IN_INT_RANGE (XINT (value)))) continue; reg[RRR] = i; - reg[rrr] = XUINT (value); + reg[rrr] = XINT (value); break; } else if (SYMBOLP (content)) @@ -1432,8 +1465,9 @@ mapping_stack_pointer = mapping_stack; stack_idx_of_map_multiple = 0; - map_set_rest_length = - XINT (ccl_prog[ic++]); /* number of maps and separators. */ + /* Get number of maps and separators. */ + GET_CCL_INT (map_set_rest_length, ccl_prog, ic++); + fin_ic = ic + map_set_rest_length; op = reg[rrr]; @@ -1501,7 +1535,7 @@ do { for (;map_set_rest_length > 0;i++, ic++, map_set_rest_length--) { - point = XINT(ccl_prog[ic]); + GET_CCL_INT (point, ccl_prog, ic); if (point < 0) { /* +1 is for including separator. */ @@ -1531,18 +1565,19 @@ /* check map type, [STARTPOINT VAL1 VAL2 ...] or [t ELEMENT STARTPOINT ENDPOINT] */ - if (NUMBERP (content)) + if (INTEGERP (content)) { - point = XUINT (content); - point = op - point + 1; - if (!((point >= 1) && (point < size))) continue; - content = AREF (map, point); + point = XINT (content); + if (!(point <= op && op - point + 1 < size)) continue; + content = AREF (map, op - point + 1); } else if (EQ (content, Qt)) { if (size != 4) continue; - if ((op >= XUINT (AREF (map, 2))) && - (op < XUINT (AREF (map, 3)))) + if (INTEGERP (AREF (map, 2)) + && XINT (AREF (map, 2)) <= op + && INTEGERP (AREF (map, 3)) + && op < XINT (AREF (map, 3))) content = AREF (map, 1); else continue; @@ -1554,7 +1589,7 @@ continue; reg[RRR] = i; - if (NUMBERP (content)) + if (INTEGERP (content) && IN_INT_RANGE (XINT (content))) { op = XINT (content); i += map_set_rest_length - 1; @@ -1566,9 +1601,10 @@ { attrib = XCAR (content); value = XCDR (content); - if (!NUMBERP (attrib) || !NUMBERP (value)) + if (! (INTEGERP (attrib) && INTEGERP (value) + && IN_INT_RANGE (XINT (value)))) continue; - op = XUINT (value); + op = XINT (value); i += map_set_rest_length - 1; ic += map_set_rest_length - 1; POP_MAPPING_STACK (map_set_rest_length, reg[rrr]); @@ -1613,7 +1649,7 @@ case CCL_MapSingle: { Lisp_Object map, attrib, value, content; - int size, point; + int point; j = XINT (ccl_prog[ic++]); /* map_id */ op = reg[rrr]; if (j >= ASIZE (Vcode_conversion_map_vector)) @@ -1628,41 +1664,36 @@ break; } map = XCDR (map); - if (!VECTORP (map)) + if (! (VECTORP (map) + && INTEGERP (AREF (map, 0)) + && XINT (AREF (map, 0)) <= op + && op - XINT (AREF (map, 0)) + 1 < ASIZE (map))) { reg[RRR] = -1; break; } - size = ASIZE (map); - point = XUINT (AREF (map, 0)); + point = XINT (AREF (map, 0)); point = op - point + 1; reg[RRR] = 0; - if ((size <= 1) || - (!((point >= 1) && (point < size)))) + content = AREF (map, point); + if (NILP (content)) reg[RRR] = -1; - else + else if (INTEGERP (content)) + reg[rrr] = XINT (content); + else if (EQ (content, Qt)); + else if (CONSP (content)) { - reg[RRR] = 0; - content = AREF (map, point); - if (NILP (content)) - reg[RRR] = -1; - else if (NUMBERP (content)) - reg[rrr] = XINT (content); - else if (EQ (content, Qt)); - else if (CONSP (content)) - { - attrib = XCAR (content); - value = XCDR (content); - if (!NUMBERP (attrib) || !NUMBERP (value)) - continue; - reg[rrr] = XUINT(value); - break; - } - else if (SYMBOLP (content)) - CCL_CALL_FOR_MAP_INSTRUCTION (content, ic); - else - reg[RRR] = -1; + attrib = XCAR (content); + value = XCDR (content); + if (!INTEGERP (attrib) || !INTEGERP (value)) + continue; + reg[rrr] = XINT(value); + break; } + else if (SYMBOLP (content)) + CCL_CALL_FOR_MAP_INSTRUCTION (content, ic); + else + reg[RRR] = -1; } break; From unknown Mon Sep 08 01:50:34 2025 X-Loop: help-debbugs@gnu.org Subject: bug#8719: ccl: add some integer overflow checks References: <4DDA0467.4050205@cs.ucla.edu> Resent-From: Kenichi Handa Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 23 May 2011 07:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 8719 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Paul Eggert Cc: 8719@debbugs.gnu.org Received: via spool by 8719-submit@debbugs.gnu.org id=B8719.13061356772057 (code B ref 8719); Mon, 23 May 2011 07:28:01 +0000 Received: (at 8719) by debbugs.gnu.org; 23 May 2011 07:27:57 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QOPYT-0000X8-Ei for submit@debbugs.gnu.org; Mon, 23 May 2011 03:27:57 -0400 Received: from mx1.aist.go.jp ([150.29.246.133]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QOPYM-0000Wr-IP for 8719@debbugs.gnu.org; Mon, 23 May 2011 03:27:56 -0400 Received: from rqsmtp2.aist.go.jp (rqsmtp2.aist.go.jp [150.29.254.123]) by mx1.aist.go.jp with ESMTP id p4N7RWZ9027373; Mon, 23 May 2011 16:27:32 +0900 (JST) env-from (handa@m17n.org) Received: from smtp4.aist.go.jp by rqsmtp2.aist.go.jp with ESMTP id p4N7RW9W000258; Mon, 23 May 2011 16:27:32 +0900 (JST) env-from (handa@m17n.org) Received: by smtp4.aist.go.jp with ESMTP id p4N7RVA1000498; Mon, 23 May 2011 16:27:31 +0900 (JST) env-from (handa@m17n.org) Received: from handa by etlken with local (Exim 4.71) (envelope-from ) id 1QOPY3-0003nA-MD; Mon, 23 May 2011 16:27:31 +0900 From: Kenichi Handa In-Reply-To: <4DDA0467.4050205@cs.ucla.edu> (message from Paul Eggert on Sun, 22 May 2011 23:53:27 -0700) Date: Mon, 23 May 2011 16:27:31 +0900 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.7 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.7 (--) In article <4DDA0467.4050205@cs.ucla.edu>, Paul Eggert writes: > I did a quick pass through ccl.c and found several places where > integer overflow could cause problems. Here's a proposed fix for some > of the problems. > Does anybody have a good suggestion for testing these? I'm no > expert in CCL. Thank you. I'll check it (perhaps within this week). --- Kenichi Handa handa@m17n.org From unknown Mon Sep 08 01:50:34 2025 X-Loop: help-debbugs@gnu.org Subject: bug#8719: ccl: add some integer overflow checks Resent-From: Eli Zaretskii Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 23 May 2011 07:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 8719 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Paul Eggert , Kenichi Handa Cc: 8719@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 8719-submit@debbugs.gnu.org id=B8719.13061364253159 (code B ref 8719); Mon, 23 May 2011 07:41:01 +0000 Received: (at 8719) by debbugs.gnu.org; 23 May 2011 07:40:25 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QOPkW-0000ou-9J for submit@debbugs.gnu.org; Mon, 23 May 2011 03:40:24 -0400 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QOPkU-0000od-3Y for 8719@debbugs.gnu.org; Mon, 23 May 2011 03:40:22 -0400 Received: from eliz by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1QOPkM-0001Kw-JJ; Mon, 23 May 2011 03:40:14 -0400 Date: Mon, 23 May 2011 03:40:14 -0400 Message-Id: From: Eli Zaretskii In-reply-to: <4DDA0467.4050205@cs.ucla.edu> (message from Paul Eggert on Sun, 22 May 2011 23:53:27 -0700) References: <4DDA0467.4050205@cs.ucla.edu> X-Spam-Score: -6.6 (------) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.6 (------) > Date: Sun, 22 May 2011 23:53:27 -0700 > From: Paul Eggert > > Does anybody have a good suggestion for testing these? I'm no > expert in CCL. We pretty much never use CCL these days, at least in Emacs packages. My reading of lisp/language/ethiopic.el is that it uses CCL to encode characters into font codepoints. So displaying some Ethiopic text (with an Ethiopic font installed) should run a CCL program. Perhaps Handa-san could suggest more tests. From unknown Mon Sep 08 01:50:34 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Paul Eggert Subject: bug#8719: closed (fixes committed to trunk) Message-ID: References: <4DE00C2A.4030909@cs.ucla.edu> <4DDA0467.4050205@cs.ucla.edu> X-Gnu-PR-Message: they-closed 8719 X-Gnu-PR-Package: emacs Reply-To: 8719@debbugs.gnu.org Date: Fri, 27 May 2011 20:41:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1306528862-5150-1" This is a multi-part message in MIME format... ------------=_1306528862-5150-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #8719: ccl: add some integer overflow checks which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 8719@debbugs.gnu.org. --=20 8719: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D8719 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1306528862-5150-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 8719-done) by debbugs.gnu.org; 27 May 2011 20:40:20 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QQ3pT-0001Jt-H0 for submit@debbugs.gnu.org; Fri, 27 May 2011 16:40:19 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QQ3pR-0001JT-1F; Fri, 27 May 2011 16:40:18 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 142F439E8100; Fri, 27 May 2011 13:40:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWMrgiN8Oycy; Fri, 27 May 2011 13:40:10 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id BA82039E80F0; Fri, 27 May 2011 13:40:10 -0700 (PDT) Message-ID: <4DE00C2A.4030909@cs.ucla.edu> Date: Fri, 27 May 2011 13:40:10 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc14 Thunderbird/3.1.10 MIME-Version: 1.0 To: 8722-done@debbugs.gnu.org, 8719-done@debbugs.gnu.org, 8668-done@debbugs.gnu.org Subject: fixes committed to trunk Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.2 (---) X-Debbugs-Envelope-To: 8719-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.2 (---) I just committed bzr 104390 to the Emacs trunk. It merges fixes for bugs 8668, 8719, and 8722 as previously discussed. For Bug#8719, although the patch should fix the problems it may not be the best patch. Kenichi Handa wrote that he'll check it. Kenichi, if there are problems with it, please feel free to replace it with something better or to send me email with suggestions and I'll work on making it better. Thanks. ------------=_1306528862-5150-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 23 May 2011 06:53:57 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QOP1Y-0008Dn-Ea for submit@debbugs.gnu.org; Mon, 23 May 2011 02:53:57 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QOP1V-0008Da-SX for submit@debbugs.gnu.org; Mon, 23 May 2011 02:53:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QOP1P-0006uR-FV for submit@debbugs.gnu.org; Mon, 23 May 2011 02:53:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:60297) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOP1P-0006uN-Dh for submit@debbugs.gnu.org; Mon, 23 May 2011 02:53:47 -0400 Received: from eggs.gnu.org ([140.186.70.92]:49322) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOP1N-0004sk-VW for bug-gnu-emacs@gnu.org; Mon, 23 May 2011 02:53:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QOP1M-0006u8-4s for bug-gnu-emacs@gnu.org; Mon, 23 May 2011 02:53:45 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:48001) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QOP1L-0006sx-IV for bug-gnu-emacs@gnu.org; Mon, 23 May 2011 02:53:44 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 76C81A60002 for ; Sun, 22 May 2011 23:53:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zr2K7cZRSQ-y for ; Sun, 22 May 2011 23:53:33 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 3564BA60001 for ; Sun, 22 May 2011 23:53:33 -0700 (PDT) Message-ID: <4DDA0467.4050205@cs.ucla.edu> Date: Sun, 22 May 2011 23:53:27 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: bug-gnu-emacs@gnu.org Subject: ccl: add some integer overflow checks Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -4.7 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.7 (----) I did a quick pass through ccl.c and found several places where integer overflow could cause problems. Here's a proposed fix for some of the problems. Does anybody have a good suggestion for testing these? I'm no expert in CCL. ccl: add integer overflow checks * ccl.c (CCL_CODE_MAX, GET_CCL_RANGE, GET_CCL_CODE, GET_CCL_INT): (IN_INT_RANGE): New macros. (ccl_driver): Use them to check for integer overflow when decoding a CCL program. Many of the new checks are whether XINT (x) fits in int; it doesn't always, on 64-bit hosts. The new version doesn't catch all possible integer overflows, but it's an improvement. === modified file 'src/ccl.c' --- src/ccl.c 2011-05-12 07:07:06 +0000 +++ src/ccl.c 2011-05-23 06:46:58 +0000 @@ -98,6 +98,8 @@ and `rrr' are CCL register number, `XXXXX' is one of the following CCL commands. */ +#define CCL_CODE_MAX ((1 << (28 - 1)) - 1) + /* CCL commands Each comment fields shows one or more lines for command syntax and @@ -742,6 +744,24 @@ #endif +#define GET_CCL_RANGE(var, ccl_prog, ic, lo, hi) \ + do \ + { \ + EMACS_INT prog_word = XINT ((ccl_prog)[ic]); \ + if (! ((lo) <= prog_word && prog_word <= (hi))) \ + CCL_INVALID_CMD; \ + (var) = prog_word; \ + } \ + while (0) + +#define GET_CCL_CODE(code, ccl_prog, ic) \ + GET_CCL_RANGE (code, ccl_prog, ic, 0, CCL_CODE_MAX) + +#define GET_CCL_INT(var, ccl_prog, ic) \ + GET_CCL_RANGE (var, ccl_prog, ic, INT_MIN, INT_MAX) + +#define IN_INT_RANGE(val) (INT_MIN <= (val) && (val) <= INT_MAX) + /* Encode one character CH to multibyte form and write to the current output buffer. If CH is less than 256, CH is written as is. */ #define CCL_WRITE_CHAR(ch) \ @@ -899,7 +919,7 @@ } this_ic = ic; - code = XINT (ccl_prog[ic]); ic++; + GET_CCL_CODE (code, ccl_prog, ic++); field1 = code >> 8; field2 = (code & 0xFF) >> 5; @@ -920,15 +940,14 @@ break; case CCL_SetConst: /* 00000000000000000000rrrXXXXX */ - reg[rrr] = XINT (ccl_prog[ic]); - ic++; + GET_CCL_INT (reg[rrr], ccl_prog, ic++); break; case CCL_SetArray: /* CCCCCCCCCCCCCCCCCCCCRRRrrrXXXXX */ i = reg[RRR]; j = field1 >> 3; if ((unsigned int) i < j) - reg[rrr] = XINT (ccl_prog[ic + i]); + GET_CCL_INT (reg[rrr], ccl_prog, ic + i); ic += j; break; @@ -956,13 +975,13 @@ break; case CCL_WriteConstJump: /* A--D--D--R--E--S--S-000XXXXX */ - i = XINT (ccl_prog[ic]); + GET_CCL_INT (i, ccl_prog, ic); CCL_WRITE_CHAR (i); ic += ADDR; break; case CCL_WriteConstReadJump: /* A--D--D--R--E--S--S-rrrXXXXX */ - i = XINT (ccl_prog[ic]); + GET_CCL_INT (i, ccl_prog, ic); CCL_WRITE_CHAR (i); ic++; CCL_READ_CHAR (reg[rrr]); @@ -970,18 +989,17 @@ break; case CCL_WriteStringJump: /* A--D--D--R--E--S--S-000XXXXX */ - j = XINT (ccl_prog[ic]); - ic++; + GET_CCL_INT (j, ccl_prog, ic++); CCL_WRITE_STRING (j); ic += ADDR - 1; break; case CCL_WriteArrayReadJump: /* A--D--D--R--E--S--S-rrrXXXXX */ i = reg[rrr]; - j = XINT (ccl_prog[ic]); + GET_CCL_INT (j, ccl_prog, ic); if ((unsigned int) i < j) { - i = XINT (ccl_prog[ic + 1 + i]); + GET_CCL_INT (i, ccl_prog, ic + 1 + i); CCL_WRITE_CHAR (i); } ic += j + 2; @@ -998,10 +1016,14 @@ CCL_READ_CHAR (reg[rrr]); /* fall through ... */ case CCL_Branch: /* CCCCCCCCCCCCCCCCCCCCrrrXXXXX */ - if ((unsigned int) reg[rrr] < field1) - ic += XINT (ccl_prog[ic + reg[rrr]]); - else - ic += XINT (ccl_prog[ic + field1]); + { + int incr; + GET_CCL_INT (incr, ccl_prog, + ic + ((unsigned int) reg[rrr] < field1 + ? reg[rrr] + : field1)); + ic += incr; + } break; case CCL_ReadRegister: /* CCCCCCCCCCCCCCCCCCCCrrXXXXX */ @@ -1009,7 +1031,7 @@ { CCL_READ_CHAR (reg[rrr]); if (!field1) break; - code = XINT (ccl_prog[ic]); ic++; + GET_CCL_CODE (code, ccl_prog, ic++); field1 = code >> 8; field2 = (code & 0xFF) >> 5; } @@ -1018,7 +1040,7 @@ case CCL_WriteExprConst: /* 1:00000OPERATION000RRR000XXXXX */ rrr = 7; i = reg[RRR]; - j = XINT (ccl_prog[ic]); + GET_CCL_INT (j, ccl_prog, ic); op = field1 >> 6; jump_address = ic + 1; goto ccl_set_expr; @@ -1029,7 +1051,7 @@ i = reg[rrr]; CCL_WRITE_CHAR (i); if (!field1) break; - code = XINT (ccl_prog[ic]); ic++; + GET_CCL_CODE (code, ccl_prog, ic++); field1 = code >> 8; field2 = (code & 0xFF) >> 5; } @@ -1051,10 +1073,7 @@ /* If FFF is nonzero, the CCL program ID is in the following code. */ if (rrr) - { - prog_id = XINT (ccl_prog[ic]); - ic++; - } + GET_CCL_INT (prog_id, ccl_prog, ic++); else prog_id = field1; @@ -1097,7 +1116,7 @@ i = reg[rrr]; if ((unsigned int) i < field1) { - j = XINT (ccl_prog[ic + i]); + GET_CCL_INT (j, ccl_prog, ic + i); CCL_WRITE_CHAR (j); } ic += field1; @@ -1122,8 +1141,7 @@ CCL_SUCCESS; case CCL_ExprSelfConst: /* 00000OPERATION000000rrrXXXXX */ - i = XINT (ccl_prog[ic]); - ic++; + GET_CCL_INT (i, ccl_prog, ic++); op = field1 >> 6; goto ccl_expr_self; @@ -1159,9 +1177,9 @@ case CCL_SetExprConst: /* 00000OPERATION000RRRrrrXXXXX */ i = reg[RRR]; - j = XINT (ccl_prog[ic]); + GET_CCL_INT (j, ccl_prog, ic++); op = field1 >> 6; - jump_address = ++ic; + jump_address = ic; goto ccl_set_expr; case CCL_SetExprReg: /* 00000OPERATIONRrrRRRrrrXXXXX */ @@ -1175,10 +1193,9 @@ CCL_READ_CHAR (reg[rrr]); case CCL_JumpCondExprConst: /* A--D--D--R--E--S--S-rrrXXXXX */ i = reg[rrr]; - op = XINT (ccl_prog[ic]); - jump_address = ic++ + ADDR; - j = XINT (ccl_prog[ic]); - ic++; + jump_address = ic + ADDR; + GET_CCL_INT (op, ccl_prog, ic++); + GET_CCL_INT (j, ccl_prog, ic++); rrr = 7; goto ccl_set_expr; @@ -1186,10 +1203,10 @@ CCL_READ_CHAR (reg[rrr]); case CCL_JumpCondExprReg: i = reg[rrr]; - op = XINT (ccl_prog[ic]); - jump_address = ic++ + ADDR; - j = reg[XINT (ccl_prog[ic])]; - ic++; + jump_address = ic + ADDR; + GET_CCL_INT (op, ccl_prog, ic++); + GET_CCL_RANGE (j, ccl_prog, ic++, 0, 7); + j = reg[j]; rrr = 7; ccl_set_expr: @@ -1267,18 +1284,27 @@ break; case CCL_TranslateCharacterConstTbl: - op = XINT (ccl_prog[ic]); /* table */ - ic++; - i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]); - op = translate_char (GET_TRANSLATION_TABLE (op), i); - CCL_ENCODE_CHAR (op, charset_list, reg[RRR], reg[rrr]); + { + EMACS_INT eop; + GET_CCL_RANGE (eop, ccl_prog, ic++, 0, + (VECTORP (Vtranslation_table_vector) + ? ASIZE (Vtranslation_table_vector) + : -1)); + i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]); + op = translate_char (GET_TRANSLATION_TABLE (eop), i); + CCL_ENCODE_CHAR (op, charset_list, reg[RRR], reg[rrr]); + } break; case CCL_LookupIntConstTbl: - op = XINT (ccl_prog[ic]); /* table */ - ic++; { - struct Lisp_Hash_Table *h = GET_HASH_TABLE (op); + EMACS_INT eop; + struct Lisp_Hash_Table *h; + GET_CCL_RANGE (eop, ccl_prog, ic++, 0, + (VECTORP (Vtranslation_hash_table_vector) + ? ASIZE (Vtranslation_hash_table_vector) + : -1)); + h = GET_HASH_TABLE (eop); op = hash_lookup (h, make_number (reg[RRR]), NULL); if (op >= 0) @@ -1297,18 +1323,22 @@ break; case CCL_LookupCharConstTbl: - op = XINT (ccl_prog[ic]); /* table */ - ic++; - i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]); { - struct Lisp_Hash_Table *h = GET_HASH_TABLE (op); + EMACS_INT eop; + struct Lisp_Hash_Table *h; + GET_CCL_RANGE (eop, ccl_prog, ic++, 0, + (VECTORP (Vtranslation_hash_table_vector) + ? ASIZE (Vtranslation_hash_table_vector) + : -1)); + i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]); + h = GET_HASH_TABLE (eop); op = hash_lookup (h, make_number (i), NULL); if (op >= 0) { Lisp_Object opl; opl = HASH_VALUE (h, op); - if (!INTEGERP (opl)) + if (! (INTEGERP (opl) && IN_INT_RANGE (XINT (opl)))) CCL_INVALID_CMD; reg[RRR] = XINT (opl); reg[7] = 1; /* r7 true for success */ @@ -1321,9 +1351,10 @@ case CCL_IterateMultipleMap: { Lisp_Object map, content, attrib, value; - int point, size, fin_ic; + EMACS_INT point, size; + int fin_ic; - j = XINT (ccl_prog[ic++]); /* number of maps. */ + GET_CCL_INT (j, ccl_prog, ic++); /* number of maps. */ fin_ic = ic + j; op = reg[rrr]; if ((j > reg[RRR]) && (j >= 0)) @@ -1343,7 +1374,7 @@ size = ASIZE (Vcode_conversion_map_vector); point = XINT (ccl_prog[ic++]); - if (point >= size) continue; + if (! (0 <= point && point < size)) continue; map = AREF (Vcode_conversion_map_vector, point); /* Check map validity. */ @@ -1358,18 +1389,19 @@ /* check map type, [STARTPOINT VAL1 VAL2 ...] or [t ELEMENT STARTPOINT ENDPOINT] */ - if (NUMBERP (content)) + if (INTEGERP (content)) { - point = XUINT (content); - point = op - point + 1; - if (!((point >= 1) && (point < size))) continue; - content = AREF (map, point); + point = XINT (content); + if (!(point <= op && op - point + 1 < size)) continue; + content = AREF (map, op - point + 1); } else if (EQ (content, Qt)) { if (size != 4) continue; - if ((op >= XUINT (AREF (map, 2))) - && (op < XUINT (AREF (map, 3)))) + if (INTEGERP (AREF (map, 2)) + && XINT (AREF (map, 2)) <= op + && INTEGERP (AREF (map, 3)) + && op < XINT (AREF (map, 3))) content = AREF (map, 1); else continue; @@ -1379,7 +1411,7 @@ if (NILP (content)) continue; - else if (NUMBERP (content)) + else if (INTEGERP (content) && IN_INT_RANGE (XINT (content))) { reg[RRR] = i; reg[rrr] = XINT(content); @@ -1394,10 +1426,11 @@ { attrib = XCAR (content); value = XCDR (content); - if (!NUMBERP (attrib) || !NUMBERP (value)) + if (! (INTEGERP (attrib) && INTEGERP (value) + && IN_INT_RANGE (XINT (value)))) continue; reg[RRR] = i; - reg[rrr] = XUINT (value); + reg[rrr] = XINT (value); break; } else if (SYMBOLP (content)) @@ -1432,8 +1465,9 @@ mapping_stack_pointer = mapping_stack; stack_idx_of_map_multiple = 0; - map_set_rest_length = - XINT (ccl_prog[ic++]); /* number of maps and separators. */ + /* Get number of maps and separators. */ + GET_CCL_INT (map_set_rest_length, ccl_prog, ic++); + fin_ic = ic + map_set_rest_length; op = reg[rrr]; @@ -1501,7 +1535,7 @@ do { for (;map_set_rest_length > 0;i++, ic++, map_set_rest_length--) { - point = XINT(ccl_prog[ic]); + GET_CCL_INT (point, ccl_prog, ic); if (point < 0) { /* +1 is for including separator. */ @@ -1531,18 +1565,19 @@ /* check map type, [STARTPOINT VAL1 VAL2 ...] or [t ELEMENT STARTPOINT ENDPOINT] */ - if (NUMBERP (content)) + if (INTEGERP (content)) { - point = XUINT (content); - point = op - point + 1; - if (!((point >= 1) && (point < size))) continue; - content = AREF (map, point); + point = XINT (content); + if (!(point <= op && op - point + 1 < size)) continue; + content = AREF (map, op - point + 1); } else if (EQ (content, Qt)) { if (size != 4) continue; - if ((op >= XUINT (AREF (map, 2))) && - (op < XUINT (AREF (map, 3)))) + if (INTEGERP (AREF (map, 2)) + && XINT (AREF (map, 2)) <= op + && INTEGERP (AREF (map, 3)) + && op < XINT (AREF (map, 3))) content = AREF (map, 1); else continue; @@ -1554,7 +1589,7 @@ continue; reg[RRR] = i; - if (NUMBERP (content)) + if (INTEGERP (content) && IN_INT_RANGE (XINT (content))) { op = XINT (content); i += map_set_rest_length - 1; @@ -1566,9 +1601,10 @@ { attrib = XCAR (content); value = XCDR (content); - if (!NUMBERP (attrib) || !NUMBERP (value)) + if (! (INTEGERP (attrib) && INTEGERP (value) + && IN_INT_RANGE (XINT (value)))) continue; - op = XUINT (value); + op = XINT (value); i += map_set_rest_length - 1; ic += map_set_rest_length - 1; POP_MAPPING_STACK (map_set_rest_length, reg[rrr]); @@ -1613,7 +1649,7 @@ case CCL_MapSingle: { Lisp_Object map, attrib, value, content; - int size, point; + int point; j = XINT (ccl_prog[ic++]); /* map_id */ op = reg[rrr]; if (j >= ASIZE (Vcode_conversion_map_vector)) @@ -1628,41 +1664,36 @@ break; } map = XCDR (map); - if (!VECTORP (map)) + if (! (VECTORP (map) + && INTEGERP (AREF (map, 0)) + && XINT (AREF (map, 0)) <= op + && op - XINT (AREF (map, 0)) + 1 < ASIZE (map))) { reg[RRR] = -1; break; } - size = ASIZE (map); - point = XUINT (AREF (map, 0)); + point = XINT (AREF (map, 0)); point = op - point + 1; reg[RRR] = 0; - if ((size <= 1) || - (!((point >= 1) && (point < size)))) + content = AREF (map, point); + if (NILP (content)) reg[RRR] = -1; - else + else if (INTEGERP (content)) + reg[rrr] = XINT (content); + else if (EQ (content, Qt)); + else if (CONSP (content)) { - reg[RRR] = 0; - content = AREF (map, point); - if (NILP (content)) - reg[RRR] = -1; - else if (NUMBERP (content)) - reg[rrr] = XINT (content); - else if (EQ (content, Qt)); - else if (CONSP (content)) - { - attrib = XCAR (content); - value = XCDR (content); - if (!NUMBERP (attrib) || !NUMBERP (value)) - continue; - reg[rrr] = XUINT(value); - break; - } - else if (SYMBOLP (content)) - CCL_CALL_FOR_MAP_INSTRUCTION (content, ic); - else - reg[RRR] = -1; + attrib = XCAR (content); + value = XCDR (content); + if (!INTEGERP (attrib) || !INTEGERP (value)) + continue; + reg[rrr] = XINT(value); + break; } + else if (SYMBOLP (content)) + CCL_CALL_FOR_MAP_INSTRUCTION (content, ic); + else + reg[RRR] = -1; } break; ------------=_1306528862-5150-1-- From unknown Mon Sep 08 01:50:34 2025 X-Loop: help-debbugs@gnu.org Subject: bug#8719: bug#8751: 24.0.50; CCL is broken Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 31 May 2011 02:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 8719 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Kazuhiro Ito Cc: 8719@debbugs.gnu.org, Stefan Monnier , 8751-done@debbugs.gnu.org Received: via spool by 8719-submit@debbugs.gnu.org id=B8719.130680821632344 (code B ref 8719); Tue, 31 May 2011 02:17:02 +0000 Received: (at 8719) by debbugs.gnu.org; 31 May 2011 02:16:56 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QREVr-0008Pc-NY for submit@debbugs.gnu.org; Mon, 30 May 2011 22:16:55 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QREVp-0008PM-CH; Mon, 30 May 2011 22:16:54 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 646BB39E8100; Mon, 30 May 2011 19:16:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfTjg6uGb4kk; Mon, 30 May 2011 19:16:47 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id EEFCF39E80F0; Mon, 30 May 2011 19:16:46 -0700 (PDT) Message-ID: <4DE44F88.1060706@cs.ucla.edu> Date: Mon, 30 May 2011 19:16:40 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 References: <20110528124948.470A6360038@msa102.auone-net.jp> <20110530130933.D45704B803A@msa106.auone-net.jp> <20110530232630.273942C803A@msa105.auone-net.jp> In-Reply-To: <20110530232630.273942C803A@msa105.auone-net.jp> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.0 (---) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.0 (---) > Here is a quick fix for actual code, but I don't check whether there > is other problems. Thanks, I came up with something similar independently, and installed a fix into the trunk (bzr 104441). This fix adjusted the comment as best I could. Bug#8719 and Bug#8751 are related so I'll CC: this to bug 8719 to give Kenichi Handa a heads-up.