From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Sergei Litvin <litvindev@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#24064: 24.5;
	NULL pointer dereference in compute_motion(), indent.c
Date: Tue, 26 Jul 2016 01:02:27 +0300
Message-ID: <3092bb3f-6d7f-0495-bf53-a317b9f52fa9@gmail.com>
References: <18720133-6691-74c9-528f-3baee920b421@gmail.com>
	<83vaztu1n5.fsf@gnu.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------0B017BEB1D9AC55F27304812"
X-Trace: ger.gmane.org 1469485054 2093 80.91.229.3 (25 Jul 2016 22:17:34 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 25 Jul 2016 22:17:34 +0000 (UTC)
To: 24064@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jul 26 00:17:16 2016
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1bRoBW-0006Ed-5D
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 26 Jul 2016 00:17:14 +0200
Original-Received: from localhost ([::1]:35506 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1bRoBV-0003Gc-Ga
	for geb-bug-gnu-emacs@m.gmane.org; Mon, 25 Jul 2016 18:17:13 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33755)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bRoBO-0003Ff-Ez
	for bug-gnu-emacs@gnu.org; Mon, 25 Jul 2016 18:17:07 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bRoBK-00045k-En
	for bug-gnu-emacs@gnu.org; Mon, 25 Jul 2016 18:17:06 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:53177)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bRoBK-00045g-Ab
	for bug-gnu-emacs@gnu.org; Mon, 25 Jul 2016 18:17:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bRoBK-00049Q-0b
	for bug-gnu-emacs@gnu.org; Mon, 25 Jul 2016 18:17:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Sergei Litvin <litvindev@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Mon, 25 Jul 2016 22:17:01 +0000
Resent-Message-ID: <handler.24064.B24064.146948498015904@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 24064
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 24064-submit@debbugs.gnu.org id=B24064.146948498015904
	(code B ref 24064); Mon, 25 Jul 2016 22:17:01 +0000
Original-Received: (at 24064) by debbugs.gnu.org; 25 Jul 2016 22:16:20 +0000
Original-Received: from localhost ([127.0.0.1]:37281 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1bRoAd-00048S-Ro
	for submit@debbugs.gnu.org; Mon, 25 Jul 2016 18:16:20 -0400
Original-Received: from mail-lf0-f49.google.com ([209.85.215.49]:35412)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <litvindev@gmail.com>) id 1bRnxL-0003pE-FP
	for 24064@debbugs.gnu.org; Mon, 25 Jul 2016 18:02:35 -0400
Original-Received: by mail-lf0-f49.google.com with SMTP id f93so137928040lfi.2
	for <24064@debbugs.gnu.org>; Mon, 25 Jul 2016 15:02:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; 
	h=subject:to:references:from:message-id:date:user-agent:mime-version
	:in-reply-to; bh=jZtCgQ6U/GE7y6CmZQvWjgw25ycEjVrvplwrXwAxUoQ=;
	b=X9vlaBflSj0It+DMA/N+/VcYW494CzgMERvqdH9SqPXzjFlHDBfoG8N+rOPJ9JzO/r
	jvpxUHHRvq4eIEryU3MLHJPl0xaCPRWwi1d5SVmJkD5UmA8B1FcrHC/ESORlKYHMIHci
	GCdf+s3X1WgEN0ixDJKXODBHqGpzsXMeeYXSRikhZn/XYIzStp7G6zJ4/nB2F5NAU1fI
	o6m/wiWZ75vrpW76JNZBGTA+0CXXNkbhA8tudm4XtD0BqF6H6RO0oGI077cAvY0EHPWp
	xNY1DNoSrcr/kmd2Z1HSmL+tVHJcdXlUS/flK7746Vt4DNKKZEI2e7E8EdQD9+KybaW2
	69bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:subject:to:references:from:message-id:date
	:user-agent:mime-version:in-reply-to;
	bh=jZtCgQ6U/GE7y6CmZQvWjgw25ycEjVrvplwrXwAxUoQ=;
	b=lTjOaq9HG3v2EsefMsmkxXRSO+p8s7F7alXDp8/KYGaPLQuSs2DqhxcCLrmcnbYsAu
	0NRZA4z6C3A+4B7JFPxu4ehjxF/usJ96LfONOO8At9Z/2B1qm4dKUyjiLvP8uIsy/TU1
	6c2UdTkRxt/TQtHGBs8ARG38yI0C4fSbVXUcewmm502ap+c+z9U8vw/0IIdt/7fiJdhx
	CYxqtR6KxSzqb8cGGnNAc1XqiCUKy+gh5PfgXpyzriwEAGzkWgfVlLmkOPfCKWZCkd0D
	8RY01/mJ7I5IguSrARXD8FmESDrj5SDqeUgGXMpVdeiVMDpB05OrsPun2cq99Mvp014M
	2Nzg==
X-Gm-Message-State: AEkooutuhU5FonKe/jkZ2TUWJ01zWxlwItsxC7wrknWAygvxo7b829H3YYcE6IZkvfTGRg==
X-Received: by 10.46.1.92 with SMTP id 89mr8182136ljb.21.1469484148880;
	Mon, 25 Jul 2016 15:02:28 -0700 (PDT)
Original-Received: from [192.168.0.114] (93-81-77-76.broadband.corbina.ru.
	[93.81.77.76]) by smtp.googlemail.com with ESMTPSA id
	h62sm5906952lji.28.2016.07.25.15.02.27 for <24064@debbugs.gnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 25 Jul 2016 15:02:28 -0700 (PDT)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.2.0
In-Reply-To: <83vaztu1n5.fsf@gnu.org>
X-Mailman-Approved-At: Mon, 25 Jul 2016 18:16:17 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:121537
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/121537>

This is a multi-part message in MIME format.
--------------0B017BEB1D9AC55F27304812
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

I've prepared an elisp file to reproduce a crash:

1) Open it and move cursor to the end of the file

2) Execute eval-buffer

3) Press C-l several times


Sergei Litvin


On 07/25/2016 07:24 PM, Eli Zaretskii wrote:
>> From: Sergei Litvin <litvindev@gmail.com>
>> Date: Mon, 25 Jul 2016 02:51:40 +0300
>>
>>
>> struct position *
>> compute_motion (ptrdiff_t from, ptrdiff_t frombyte, EMACS_INT fromvpos,
>> EMACS_INT fromhpos, bool did_motion, ptrdiff_t to,
>> EMACS_INT tovpos, EMACS_INT tohpos, EMACS_INT width,
>> ptrdiff_t hscroll, int tab_offset, struct window *win)
>> {
>>
>> ...
>>
>> if (dp == buffer_display_table ())
>> width_table = (VECTORP (BVAR (current_buffer, width_table))
>> ? XVECTOR (BVAR (current_buffer, width_table))->contents
>> : 0);
>> else
>> /* If the window has its own display table, we can't use the width
>> run cache, because that's based on the buffer's display table. */
>> width_table = 0; // initialize it with 0 (current buffer has no display table)
>>
>> ...
>>
>> if (width_cache)
>> {
>> /* Is this character part of the current run? If so, extend
>> the run. */
>> if (pos - 1 == width_run_end
>> && XFASTINT (width_table[c]) == width_run_width) // dereference width_table here, and crash
>> width_run_end = pos;
> Did you actually see such a crash, and if so, can you show a recipe
> for reproducing that?
>
> Thanks.


--------------0B017BEB1D9AC55F27304812
Content-Type: text/x-emacs-lisp;
 name="emacs-crash.el"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="emacs-crash.el"

(set-window-display-table (selected-window) #^[nil nil display-table nil nil nil nil nil nil nil nil nil nil nil
 nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil
 nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil
 nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil
 nil nil nil nil nil nil nil nil nil])
(set-buffer-multibyte nil)
; 1) Move cursor to this line
; 2) Execute eval-buffer
; 3) Press C-l several times

--------------0B017BEB1D9AC55F27304812--