From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#8668: * editfns.c (Fformat): Fix several integer overflow problems. Date: Thu, 12 May 2011 20:01:52 -0700 Organization: UCLA Computer Science Department Message-ID: <4DCC9F20.7020001@cs.ucla.edu> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: dough.gmane.org 1305255792 6686 80.91.229.12 (13 May 2011 03:03:12 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Fri, 13 May 2011 03:03:12 +0000 (UTC) To: 8668@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri May 13 05:03:07 2011 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QKieh-0006EZ-4v for geb-bug-gnu-emacs@m.gmane.org; Fri, 13 May 2011 05:03:07 +0200 Original-Received: from localhost ([::1]:57611 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QKieg-0006Uy-LA for geb-bug-gnu-emacs@m.gmane.org; Thu, 12 May 2011 23:03:06 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:36500) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QKied-0006Up-SR for bug-gnu-emacs@gnu.org; Thu, 12 May 2011 23:03:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QKiec-0000c4-Rq for bug-gnu-emacs@gnu.org; Thu, 12 May 2011 23:03:03 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:43698) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QKiec-0000bz-P9 for bug-gnu-emacs@gnu.org; Thu, 12 May 2011 23:03:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1QKiec-0005uR-Ke; Thu, 12 May 2011 23:03:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 13 May 2011 03:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 8668 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.130525572522651 (code B ref -1); Fri, 13 May 2011 03:03:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 13 May 2011 03:02:05 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QKidh-0005tI-ET for submit@debbugs.gnu.org; Thu, 12 May 2011 23:02:05 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QKidf-0005sk-Tf for submit@debbugs.gnu.org; Thu, 12 May 2011 23:02:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QKidZ-0000Sn-UL for submit@debbugs.gnu.org; Thu, 12 May 2011 23:01:58 -0400 Original-Received: from lists.gnu.org ([140.186.70.17]:37037) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QKidZ-0000Sj-St for submit@debbugs.gnu.org; Thu, 12 May 2011 23:01:57 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:36254) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QKidY-0005z8-QR for bug-gnu-emacs@gnu.org; Thu, 12 May 2011 23:01:57 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QKidX-0000SW-J7 for bug-gnu-emacs@gnu.org; Thu, 12 May 2011 23:01:56 -0400 Original-Received: from smtp.cs.ucla.edu ([131.179.128.62]:44480) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QKidX-0000SQ-51 for bug-gnu-emacs@gnu.org; Thu, 12 May 2011 23:01:55 -0400 Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 23A4439E8109 for ; Thu, 12 May 2011 20:01:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Original-Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWrqyLR2MJr3 for ; Thu, 12 May 2011 20:01:53 -0700 (PDT) Original-Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 5E34539E80F8 for ; Thu, 12 May 2011 20:01:53 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Thu, 12 May 2011 23:03:02 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:46441 Archived-At: Here's a patch for several integer overflow problems in (format ...), including some that cause core dumps. I plan to install this into the trunk after some more testing. * editfns.c (Fformat): Fix several integer overflow problems. For example, without this change, (format "%2147483648d" 1) dumps core on x86-64 GNU/Linux. Use EMACS_INT, not size_t, for sizes, since we prefer using signed values, and EMACS_INT will be big enough soon, even on 32-bit hosts. Also, prefer EMACS_INT to int for sizes. Don't assume that pI is either "l" or ""; it might be "ll" or "I64". Check for width and precision greater than INT_MAX, as this can make sprintf go kaflooey. === modified file 'src/editfns.c' --- src/editfns.c 2011-04-14 19:34:42 +0000 +++ src/editfns.c 2011-05-13 02:30:06 +0000 @@ -3583,11 +3583,12 @@ usage: (format STRING &rest OBJECTS) */) (size_t nargs, register Lisp_Object *args) { - register size_t n; /* The number of the next arg to substitute */ - register size_t total; /* An estimate of the final length */ + register EMACS_INT n; /* The number of the next arg to substitute */ + register EMACS_INT total; /* An estimate of the final length */ + int pIlen = sizeof pI - 1; char *buf, *p; register char *format, *end, *format_start; - int nchars; + EMACS_INT nchars; /* Nonzero if the output should be a multibyte string, which is true if any of the inputs is one. */ int multibyte = 0; @@ -3603,7 +3604,7 @@ no argument, *will* be assigned to in the case that a `%' and `.' occur after the final format specifier. */ int *precision = (int *) (alloca ((nargs + 1) * sizeof (int))); - int longest_format; + EMACS_INT longest_format; Lisp_Object val; int arg_intervals = 0; USE_SAFE_ALLOCA; @@ -3619,7 +3620,8 @@ info[0] is unused. Unused elements have -1 for start. */ struct info { - int start, end, intervals; + EMACS_INT start, end; + int intervals; } *info = 0; /* It should not be necessary to GCPRO ARGS, because @@ -3660,8 +3662,8 @@ /* Allocate the info and discarded tables. */ { - size_t nbytes = (nargs+1) * sizeof *info; - size_t i; + EMACS_INT nbytes = (nargs + 1) * sizeof *info; + EMACS_INT i; if (!info) info = (struct info *) alloca (nbytes); memset (info, 0, nbytes); @@ -3706,25 +3708,33 @@ || * format == ' ' || *format == '+')) ++format; + /* Parse width and precision, limiting them to the range of 'int' + because otherwise the underyling sprintf may go kaflooey. */ + if (*format >= '0' && *format <= '9') { - for (field_width = 0; *format >= '0' && *format <= '9'; ++format) - field_width = 10 * field_width + *format - '0'; + char *width_end; + unsigned long width = strtoul (format, &width_end, 10); + if (INT_MAX < width) + error ("Format string field width too large"); + field_width = width; + format = width_end; } /* N is not incremented for another few lines below, so refer to element N+1 (which might be precision[NARGS]). */ if (*format == '.') { - ++format; - for (precision[n+1] = 0; *format >= '0' && *format <= '9'; ++format) - precision[n+1] = 10 * precision[n+1] + *format - '0'; + char *prec_end; + unsigned long prec = strtoul (format + 1, &prec_end, 10); + if (INT_MAX < prec) + error ("Format string precision too large"); + precision[n + 1] = prec; + format = prec_end; } - /* Extra +1 for 'l' that we may need to insert into the - format. */ - if (format - this_format_start + 2 > longest_format) - longest_format = format - this_format_start + 2; + if (longest_format < format - this_format_start + pIlen + 1) + longest_format = format - this_format_start + pIlen + 1; if (format == end) error ("Format string ends in middle of format specifier"); @@ -3975,24 +3985,22 @@ } else if (INTEGERP (args[n]) || FLOATP (args[n])) { - int this_nchars; + EMACS_INT this_nchars; + EMACS_INT this_format_len = format - this_format_start; - memcpy (this_format, this_format_start, - format - this_format_start); - this_format[format - this_format_start] = 0; + memcpy (this_format, this_format_start, this_format_len); + this_format[this_format_len] = 0; if (format[-1] == 'e' || format[-1] == 'f' || format[-1] == 'g') sprintf (p, this_format, XFLOAT_DATA (args[n])); else { - if (sizeof (EMACS_INT) > sizeof (int) - && format[-1] != 'c') + if (pIlen && format[-1] != 'c') { - /* Insert 'l' before format spec. */ - this_format[format - this_format_start] - = this_format[format - this_format_start - 1]; - this_format[format - this_format_start - 1] = 'l'; - this_format[format - this_format_start + 1] = 0; + /* Insert pI before format spec. */ + memcpy (&this_format[this_format_len - 1], pI, pIlen); + this_format[this_format_len + pIlen - 1] = format[-1]; + this_format[this_format_len + pIlen] = 0; } if (INTEGERP (args[n])) @@ -4089,7 +4097,7 @@ if (CONSP (props)) { EMACS_INT bytepos = 0, position = 0, translated = 0; - int argn = 1; + EMACS_INT argn = 1; Lisp_Object list; /* Adjust the bounds of each text property