GNU bug report logs - #9874
Fixes for several integer overflow and width issues

Previous Next

Package: emacs;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Wed, 26 Oct 2011 07:54:02 UTC

Severity: normal

Tags: patch

Found in version 24.0.90

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 9874 <at> debbugs.gnu.org (full text, mbox):

From: Juanma Barranquero <lekktu <at> gmail.com>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 9874 <at> debbugs.gnu.org, Paul Eggert <eggert <at> cs.ucla.edu>
Subject: Re: bug#9874: Fixes for several integer overflow and width issues
Date: Wed, 26 Oct 2011 16:26:41 +0200

> Thank you very much, but we're too far in the release process for such
> large patches, so it will have to wait for 24.2.

These bugs seem serious enough:

    - On my Fedora 14 x86-64 host, (signal-process 4294967295 1)
      crashes my entire login session, Emacs included, and leaves my
      workstation in a corrupted state in which the screen
      continually flashes a nonsense pattern and I cannot log in.
      This bug occurs because Emacs incorrectly assumes that fixnums
      fit into pid_t values, which is not true on typical 64-bit hosts.

    - The following code makes Emacs dump core:

        (progn
          (setq code-conversion-map-vector 0)
          (register-code-conversion-map 'x (make-vector 1 1)))

    - (font-get-glyphs FONT-OBJECT FROM TO) goes beserk if TO - FROM
      exceeds 2**31, and if you're lucky it dumps core.

    - (modify-frame-parameters FRAME ALIST) can overrun the C stack
      if ALIST is long.

    - The Lisp reader mishandles syntax errors like '(#^^[]), causing
      it to read storage that is out of bounds of an array.  It also
      mishandles '(#^^[4294967297 ...]), causing it to treat the
      large integer as if it were 1.

    - insert-file-contents overly trusts the inserted-char counts
      returned by the hooks; they should be sanity checked, to avoid
      the potential for calculating incorrect buffer offsets.

    - concat mishandles some long strings.  It checks for byte count
      overflow in places where it should check for char count overflow,
      and it misses some byte count overflows.

    - (find-operation-coding-system 'write-region 1 2) has an
      off-by-one error that causes it to access the garbage that
      is one past its argument array.

 * Callers to larger_vector often blindly multiply sizes by 2, which
   can lead to integer overflow with large sizes.  Change
   larger_vector's API to make it easier check for size overflow when
   growing a vector.
This bug report was last modified 12 years and 362 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.