bug#16683: 24.3; Crash on OS X when loading a bad PPM image

bug#16683: 24.3; Crash on OS X when loading a bad PPM image

[Gareth Rees]

SUMMARY

Emacs for Mac OS X crashes when trying to display a badly formatted PPM image. The crash is 100% reproducible.


STEPS TO REPRODUCE

1. Install Emacs 24.3.1 for Mac OS X from http://emacsformacosx.com/

2. Create a file crash.ppm with contents:

P3
100 100
255 255 255

3. Run /Applications/Emacs.app/Contents/MacOS/Emacs-10.7 -Q

4. In Emacs, type C-x C-f crash.ppm RET

5. Emacs crashes. The terminal prints:

    Fatal error 11: Segmentation faultAbort trap: 6


BACKTRACE

(lldb) bt all
* thread #1: tid = 0xa1297b, 0x00007fff93864097 libobjc.A.dylib`objc_msgSend + 23, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00007fff93864097 libobjc.A.dylib`objc_msgSend + 23
    frame #1: 0x000000010018c514 Emacs-10.7`ns_draw_glyph_string + 1332
    frame #2: 0x000000010001f58e Emacs-10.7`draw_glyphs + 11534
    frame #3: 0x000000010001fe86 Emacs-10.7`x_write_glyphs + 198
    frame #4: 0x0000000100007614 Emacs-10.7`update_window_line + 756
    frame #5: 0x0000000100008efb Emacs-10.7`update_window + 4171
    frame #6: 0x000000010000969a Emacs-10.7`update_window_tree + 106
    frame #7: 0x000000010000b519 Emacs-10.7`update_frame + 409
    frame #8: 0x00000001000427d8 Emacs-10.7`redisplay_internal + 3880
    frame #9: 0x00000001000ad7d9 Emacs-10.7`read_char + 7961
    frame #10: 0x00000001000b061f Emacs-10.7`read_key_sequence + 7535
    frame #11: 0x00000001000b2098 Emacs-10.7`command_loop_1 + 5128
    frame #12: 0x0000000100118e19 Emacs-10.7`internal_condition_case + 297
    frame #13: 0x00000001000b0c6e Emacs-10.7`command_loop_2 + 62
    frame #14: 0x0000000100118f15 Emacs-10.7`internal_catch + 213
    frame #15: 0x00000001000b26a0 Emacs-10.7`recursive_edit_1 + 240
    frame #16: 0x00000001000a309d Emacs-10.7`Frecursive_edit + 237
    frame #17: 0x000000010009ff2c Emacs-10.7`main + 5932
    frame #18: 0x00000001000020e4 Emacs-10.7`start + 52

  thread #2: tid = 0xa12994, 0x00007fff97af2e6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #0: 0x00007fff97af2e6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007fff95d65f08 libsystem_pthread.dylib`_pthread_wqthread + 330
    frame #2: 0x00007fff95d68fb9 libsystem_pthread.dylib`start_wqthread + 13

  thread #3: tid = 0xa12995, 0x00007fff97af3662 libsystem_kernel.dylib`kevent64 + 10, queue = 'com.apple.libdispatch-manager
    frame #0: 0x00007fff97af3662 libsystem_kernel.dylib`kevent64 + 10
    frame #1: 0x00007fff942e443d libdispatch.dylib`_dispatch_mgr_invoke + 239
    frame #2: 0x00007fff942e4152 libdispatch.dylib`_dispatch_mgr_thread + 52

  thread #4: tid = 0xa12996, 0x00007fff97af2e6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #0: 0x00007fff97af2e6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007fff95d65f08 libsystem_pthread.dylib`_pthread_wqthread + 330
    frame #2: 0x00007fff95d68fb9 libsystem_pthread.dylib`start_wqthread + 13

  thread #5: tid = 0xa129a5, 0x00007fff97af2e6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #0: 0x00007fff97af2e6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007fff95d65f08 libsystem_pthread.dylib`_pthread_wqthread + 330
    frame #2: 0x00007fff95d68fb9 libsystem_pthread.dylib`start_wqthread + 13

  thread #6: tid = 0xa129a6, 0x00007fff97af29aa libsystem_kernel.dylib`select$DARWIN_EXTSN + 10
    frame #0: 0x00007fff97af29aa libsystem_kernel.dylib`select$DARWIN_EXTSN + 10
    frame #1: 0x0000000100181ac7 Emacs-10.7`-[EmacsApp fd_handler:] + 247
    frame #2: 0x00007fff95dd270b Foundation`__NSThread__main__ + 1318
    frame #3: 0x00007fff95d64899 libsystem_pthread.dylib`_pthread_body + 138
    frame #4: 0x00007fff95d6472a libsystem_pthread.dylib`_pthread_start + 137
    frame #5: 0x00007fff95d68fc9 libsystem_pthread.dylib`thread_start + 13

  thread #7: tid = 0xa129c8, 0x00007fff97aeea1a libsystem_kernel.dylib`mach_msg_trap + 10
    frame #0: 0x00007fff97aeea1a libsystem_kernel.dylib`mach_msg_trap + 10
    frame #1: 0x00007fff97aedd18 libsystem_kernel.dylib`mach_msg + 64
    frame #2: 0x00007fff96b47315 CoreFoundation`__CFRunLoopServiceMachPort + 181
    frame #3: 0x00007fff96b46939 CoreFoundation`__CFRunLoopRun + 1161
    frame #4: 0x00007fff96b46275 CoreFoundation`CFRunLoopRunSpecific + 309
    frame #5: 0x00007fff992f41ce AppKit`_NSEventThread + 144
    frame #6: 0x00007fff95d64899 libsystem_pthread.dylib`_pthread_body + 138
    frame #7: 0x00007fff95d6472a libsystem_pthread.dylib`_pthread_start + 137
    frame #8: 0x00007fff95d68fc9 libsystem_pthread.dylib`thread_start + 13


VERSION DETAILS

Emacs 24.3.1 For Mac OS X (the latest version available from http://emacsformacosx.com/)

In GNU Emacs 24.3.1 (x86_64-apple-darwin, NS apple-appkit-1038.36)
of 2013-03-13 on bob.porkrind.org
Windowing system distributor `Apple', version 10.3.1265
Configured using:
`configure '--host=x86_64-apple-darwin' '--build=i686-apple-darwin'
'--with-ns' 'build_alias=i686-apple-darwin'
'host_alias=x86_64-apple-darwin' 'CC=gcc -mmacosx-version-min=10.7
-isystem

-- 
Gareth Rees

bug#16683: 24.3; Crash on OS X when loading a bad PPM image

[Marcus Karlsson]

[-- Attachment #1: Type: text/plain, Size: 594 bytes --]

On Fri, Feb 07, 2014 at 01:53:14PM +0000, Gareth Rees wrote:
> Emacs for Mac OS X crashes when trying to display a badly formatted
> PPM image. The crash is 100% reproducible.

I'm able to reproduce this crash on the current head.

My impression after running it through the debugger is that -release is
called on the pixmap after it has been deallocated earlier in pbm_load.
I have created a patch that sets the pixmap to NO_PIXMAP in case
pbm_load runs into an error.

In the long run the better solution is probably to look over the NS
memory management so that it works properly.

		Marcus

[-- Attachment #2: 16683-fix.patch --]
[-- Type: text/x-diff, Size: 331 bytes --]

diff --git a/src/image.c b/src/image.c
index 706745f..e53ad0b 100644
--- a/src/image.c
+++ b/src/image.c
@@ -5215,6 +5215,7 @@ pbm_load (struct frame *f, struct image *img)
       image_error ("Not a PBM image: `%s'", img->spec, Qnil);
     error:
       xfree (contents);
+      img->pixmap = NO_PIXMAP;
       return 0;
     }
 

bug#16683: 24.3; Crash on OS X when loading a bad PPM image

[Jan Djärv]

Hello.

9 feb 2014 kl. 23:30 skrev Marcus Karlsson <mk@acc.umu.se>:

> On Fri, Feb 07, 2014 at 01:53:14PM +0000, Gareth Rees wrote:
>> Emacs for Mac OS X crashes when trying to display a badly formatted
>> PPM image. The crash is 100% reproducible.
> 
> I'm able to reproduce this crash on the current head.
> 
> My impression after running it through the debugger is that -release is
> called on the pixmap after it has been deallocated earlier in pbm_load.
> I have created a patch that sets the pixmap to NO_PIXMAP in case
> pbm_load runs into an error.
> 

Applied thanks.

> In the long run the better solution is probably to look over the NS
> memory management so that it works properly.

This happens in the generic code, it should not try to free garbage, so this fix is OK.
An alternative would be to check load_failed in free_image.  Still generic code.

	Jan D.