bug#31556: 27.0.50; Reading a certain invalid bytecode object triggers an assertion

bug#31556: 27.0.50; Reading a certain invalid bytecode object triggers an assertion

[Philipp]

$ emacs -Q -batch -eval '(let ((load-force-doc-strings t)) (read "#[0 \"\"]"))'

./lisp.h:1723: Emacs fatal error: assertion failed: 0 <= idx && idx < ASIZE (array)
Fatal error 6: Abort trapAbort trap: 6

Backtrace is:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x00007fff6b22ce3e libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff6b36b150 libsystem_pthread.dylib`pthread_kill + 333
    frame #2: 0x00007fff6b13b8fe libsystem_c.dylib`raise + 26
    frame #3: 0x00000001001b713a emacs`terminate_due_to_signal(sig=6, backtrace_limit=40) at emacs.c:399
    frame #4: 0x00000001001f9653 emacs`emacs_abort at sysdep.c:2426
    frame #5: 0x0000000100454838 emacs`ns_term_shutdown(sig=6) at nsterm.m:5478
    frame #6: 0x00000001001b7480 emacs`shut_down_emacs(sig=6, stuff=(i = 0x0000000000000000)) at emacs.c:2128
    frame #7: 0x00000001001b70d6 emacs`terminate_due_to_signal(sig=6, backtrace_limit=2147483647) at emacs.c:382
    frame #8: 0x000000010028880b emacs`die(msg="0 <= idx && idx < ASIZE (array)", file="./lisp.h", line=1723) at alloc.c:7445
    frame #9: 0x00000001001b024d emacs`ASET(array=(i = 0x0000000106971cbd), idx=2, val=(i = 0x00000001005323e4)) at lisp.h:1723
    frame #10: 0x000000010038265f emacs`read_vector(readcharfun=(i = 0x0000000101103904), bytecodeflag=true) at lread.c:3853
    frame #11: 0x000000010037f31f emacs`read1(readcharfun=(i = 0x0000000101103904), pch=0x00007ffeefbf8434, first_in_list=false) at lread.c:2930
    frame #12: 0x000000010038244b emacs`read0(readcharfun=(i = 0x0000000101103904)) at lread.c:2308
    frame #13: 0x000000010037668a emacs`read_internal_start(stream=(i = 0x0000000101103904), start=(i = 0x0000000000000000), end=(i = 0x0000000000000000)) at lread.c:2274
    frame #14: 0x00000001003762a5 emacs`Fread(stream=(i = 0x0000000101103904)) at lread.c:2210
    frame #15: 0x00000001002ef48e emacs`eval_sub(form=(i = 0x000000010302bfc3)) at eval.c:2288
    frame #16: 0x00000001002efe7d emacs`Fprogn(body=(i = 0x0000000000000000)) at eval.c:455
    frame #17: 0x00000001002f7199 emacs`Flet(args=(i = 0x000000010302bfd3)) at eval.c:971
    frame #18: 0x00000001002ea52a emacs`eval_sub(form=(i = 0x000000010302c153)) at eval.c:2240
    frame #19: 0x00000001002fa6a7 emacs`Feval(form=(i = 0x000000010302c153), lexical=(i = 0x0000000000000000)) at eval.c:2108
    frame #20: 0x000000010030a1b2 emacs`funcall_subr(subr=0x000000010093a8c8, numargs=1, args=0x00007ffeefbf9d48) at eval.c:2900
    frame #21: 0x000000010030886b emacs`Ffuncall(nargs=2, args=0x00007ffeefbf9d40) at eval.c:2823
    frame #22: 0x00000001003b371d emacs`exec_byte_code(bytestr=(i = 0x000000010063d21c), vector=(i = 0x000000010063d23d), maxdepth=(i = 0x000000000000005e), args_template=(i = 0x0000000000000406), nargs=1, args=0x00007ffeefbfb5c8) at bytecode.c:632
    frame #23: 0x000000010030a83c emacs`funcall_lambda(fun=(i = 0x000000010063d1ed), nargs=1, arg_vector=0x00007ffeefbfb5c0) at eval.c:3024
    frame #24: 0x00000001003088bb emacs`Ffuncall(nargs=2, args=0x00007ffeefbfb5b8) at eval.c:2825
    frame #25: 0x00000001003b371d emacs`exec_byte_code(bytestr=(i = 0x0000000100637b34), vector=(i = 0x0000000100637b55), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfd018) at bytecode.c:632
    frame #26: 0x000000010030a83c emacs`funcall_lambda(fun=(i = 0x0000000100637b05), nargs=0, arg_vector=0x00007ffeefbfd018) at eval.c:3024
    frame #27: 0x00000001003088bb emacs`Ffuncall(nargs=1, args=0x00007ffeefbfd010) at eval.c:2825
    frame #28: 0x00000001003b371d emacs`exec_byte_code(bytestr=(i = 0x0000000100636ae4), vector=(i = 0x0000000100636b05), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfe4b0) at bytecode.c:632
    frame #29: 0x000000010030a83c emacs`funcall_lambda(fun=(i = 0x0000000100636ab5), nargs=0, arg_vector=0x00007ffeefbfe4b0) at eval.c:3024
    frame #30: 0x00000001002fea23 emacs`apply_lambda(fun=(i = 0x0000000100636ab5), args=(i = 0x0000000000000000), count=4) at eval.c:2960
    frame #31: 0x00000001002ef6ac emacs`eval_sub(form=(i = 0x000000010608ed03)) at eval.c:2333
    frame #32: 0x00000001002fa6a7 emacs`Feval(form=(i = 0x000000010608ed03), lexical=(i = 0x0000000000000000)) at eval.c:2108
    frame #33: 0x00000001001d98fa emacs`top_level_2 at keyboard.c:1120
    frame #34: 0x00000001002f8b0f emacs`internal_condition_case(bfun=(emacs`top_level_2 at keyboard.c:1119), handlers=(i = 0x0000000000004a10), hfun=(emacs`cmd_error at keyboard.c:939)) at eval.c:1334
    frame #35: 0x00000001001d95a1 emacs`top_level_1(ignore=(i = 0x0000000000000000)) at keyboard.c:1128
    frame #36: 0x00000001002f7d18 emacs`internal_catch(tag=(i = 0x000000000000beb0), func=(emacs`top_level_1 at keyboard.c:1125), arg=(i = 0x0000000000000000)) at eval.c:1099
    frame #37: 0x00000001001bb801 emacs`command_loop at keyboard.c:1089
    frame #38: 0x00000001001bb644 emacs`recursive_edit_1 at keyboard.c:696
    frame #39: 0x00000001001bba71 emacs`Frecursive_edit at keyboard.c:767
    frame #40: 0x00000001001b90e9 emacs`main(argc=5, argv=0x00007ffeefbff778) at emacs.c:1720
    frame #41: 0x00007fff6b0dd115 libdyld.dylib`start + 1
    frame #42: 0x00007fff6b0dd115 libdyld.dylib`start + 1



In GNU Emacs 27.0.50 (build 68, x86_64-apple-darwin17.4.0, NS appkit-1561.20 Version 10.13.3 (Build 17D102))
 of 2018-05-22 built on p
Repository revision: 19e642fdb07b0b6522983e2fa35872ba5fb9f75e
Windowing system distributor 'Apple', version 10.3.1561
System Description:  Mac OS X 10.13.3

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-pop --with-mailutils
 --enable-gcc-warnings=yes --enable-checking
 --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0''

Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES THREADS
JSON

Important settings:
  value of $LANG: de_DE.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny seq byte-opt gv
bytecomp byte-compile cconv dired dired-loaddefs format-spec rfc822 mml
easymenu mml-sec password-cache epa derived epg epg-config gnus-util
rmail rmail-loaddefs mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils time-date elec-pair
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/ns-win ns-win ucs-normalize mule-util term/common-win
tool-bar dnd fontset image regexp-opt fringe tabulated-list replace
newcomment text-mode elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core term/tty-colors frame cl-generic
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech
european ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote kqueue cocoa ns
multi-tty make-network-process emacs)

Memory information:
((conses 16 204575 6760)
 (symbols 48 20009 1)
 (miscs 40 56 173)
 (strings 32 28858 1894)
 (string-bytes 1 773315)
 (vectors 16 35281)
 (vector-slots 8 721698 13994)
 (floats 8 51 65)
 (intervals 56 210 0)
 (buffers 992 11))

bug#31556: 27.0.50; Reading a certain invalid bytecode object triggers an assertion

[Pip Cet]

This looks like a potential security issue in builds without debugging
assertions, as essentially random memory is written to in the ASET. I
don't know precisely when load-force-doc-strings is non-nil, but I
suspect it's rare. (It's probably also possible to construct a file
which, when loaded, will segfault because it contains a docstring that
doesn't end in \037, but that's not a real issue as loading a corrupt
file will result in potentially dangerous operations anyway.)

bug#31556: 27.0.50; Reading a certain invalid bytecode object triggers an assertion

[Paul Eggert]

[-- Attachment #1: Type: text/plain, Size: 123 bytes --]

Thanks for reporting that. I installed the attached to fix it. If you 
see similar bugs in this area, please let us know.


[-- Attachment #2: 0001-Fix-failed-assertion-when-load-force-doc-strings.patch --]
[-- Type: text/x-patch, Size: 1514 bytes --]

From f47a28e686706290008c9c0e5ee3a2f241d6acae Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 22 May 2018 12:26:22 -0700
Subject: [PATCH] Fix failed assertion when load-force-doc-strings

Problem reported by Philipp Stephani (Bug#31556).
* src/lread.c (read_vector): When load_force_doc_strings, check
for byte code vectors that are invalid because they are too short.
* test/src/lread-tests.el (lread-invalid-bytecodes): New test.
---
 src/lread.c             | 4 +++-
 test/src/lread-tests.el | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/lread.c b/src/lread.c
index b8db117c79..239c66ccb8 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -3829,9 +3829,11 @@ read_vector (Lisp_Object readcharfun, bool bytecodeflag)
 
   tem = read_list (1, readcharfun);
   len = Flength (tem);
+  if (bytecodeflag && XFASTINT (len) <= COMPILED_STACK_DEPTH)
+    error ("Invalid byte code");
   vector = Fmake_vector (len, Qnil);
 
-  size = ASIZE (vector);
+  size = XFASTINT (len);
   ptr = XVECTOR (vector)->contents;
   for (i = 0; i < size; i++)
     {
diff --git a/test/src/lread-tests.el b/test/src/lread-tests.el
index 647e886d34..639a6da93a 100644
--- a/test/src/lread-tests.el
+++ b/test/src/lread-tests.el
@@ -207,4 +207,8 @@ lread-tests--last-message
      ;; bug was fixed.
      (eval-buffer))))
 
+(ert-deftest lread-invalid-bytecodes ()
+  (should-error
+   (let ((load-force-doc-strings t)) (read "#[0 \"\"]"))))
+
 ;;; lread-tests.el ends here
-- 
2.17.0