From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Jan =?UTF-8?Q?Dj=C3=A4rv?= Newsgroups: gmane.emacs.bugs Subject: bug#9196: integer and memory overflow issues (e.g., cut-and-paste crashes Emacs) Date: Fri, 29 Jul 2011 12:01:15 +0200 Message-ID: <4E3284EB.1010308@swipnet.se> References: <4E3256E9.3020208@cs.ucla.edu> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: dough.gmane.org 1311933731 8506 80.91.229.12 (29 Jul 2011 10:02:11 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Fri, 29 Jul 2011 10:02:11 +0000 (UTC) Cc: 9196@debbugs.gnu.org To: Paul Eggert Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Jul 29 12:02:06 2011 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QmjtO-0000GC-Ay for geb-bug-gnu-emacs@m.gmane.org; Fri, 29 Jul 2011 12:02:06 +0200 Original-Received: from localhost ([::1]:45743 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QmjtK-0007b0-OA for geb-bug-gnu-emacs@m.gmane.org; Fri, 29 Jul 2011 06:02:02 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:43001) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QmjtH-0007ae-Aq for bug-gnu-emacs@gnu.org; Fri, 29 Jul 2011 06:02:00 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QmjtG-0001Oz-7S for bug-gnu-emacs@gnu.org; Fri, 29 Jul 2011 06:01:59 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:51165) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QmjtG-0001Ou-5x for bug-gnu-emacs@gnu.org; Fri, 29 Jul 2011 06:01:58 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1QmjtJ-0002Y9-Mr; Fri, 29 Jul 2011 06:02:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Jan =?UTF-8?Q?Dj=C3=A4rv?= Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 29 Jul 2011 10:02:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 9196 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 9196-submit@debbugs.gnu.org id=B9196.13119336899753 (code B ref 9196); Fri, 29 Jul 2011 10:02:01 +0000 Original-Received: (at 9196) by debbugs.gnu.org; 29 Jul 2011 10:01:29 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qmjsn-0002XG-Cz for submit@debbugs.gnu.org; Fri, 29 Jul 2011 06:01:29 -0400 Original-Received: from smtprelay-b22.telenor.se ([195.54.99.213]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qmjsl-0002X8-71 for 9196@debbugs.gnu.org; Fri, 29 Jul 2011 06:01:28 -0400 Original-Received: from ipb3.telenor.se (ipb3.telenor.se [195.54.127.166]) by smtprelay-b22.telenor.se (Postfix) with ESMTP id A7858EAE36 for <9196@debbugs.gnu.org>; Fri, 29 Jul 2011 12:01:21 +0200 (CEST) X-SENDER-IP: [85.225.45.26] X-LISTENER: [smtp.bredband.net] X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnBlAMmEMk5V4S0aPGdsb2JhbAA1AQEFKRUiJAERDBoCBSILAgIJAwIBAgECHg0LGwUCDgEOAQGET4RHnkwLAQEBATcyiH6uSpEjgSuEBoEQBJgAiyY5 X-IronPort-AV: E=Sophos;i="4.67,286,1309730400"; d="scan'208";a="32113469" Original-Received: from c-1a2de155.25-1-64736c10.cust.bredbandsbolaget.se (HELO coolsville.localdomain) ([85.225.45.26]) by ipb3.telenor.se with ESMTP; 29 Jul 2011 12:01:16 +0200 Original-Received: from [172.20.199.13] (zeplin [172.20.199.13]) by coolsville.localdomain (Postfix) with ESMTPSA id BA5727FA059; Fri, 29 Jul 2011 12:01:15 +0200 (CEST) User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:5.0) Gecko/20110624 Thunderbird/5.0 In-Reply-To: <4E3256E9.3020208@cs.ucla.edu> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Fri, 29 Jul 2011 06:02:01 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 1) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:49693 Archived-At: Hello. Since strlen is defined to return size_t and you store the result in a ptrdiff_t, does not that mean you have introduced a possible signed/unsigned conversion error? In gtkutil.c: + ptrdiff_t lim = min (TYPE_MAXIMUM (Window), + min (PTRDIFF_MAX, SIZE_MAX) / sizeof (GtkWidget *)); Isn't this a compile time constant? Should it not be a #define or something? IMHO, the check in gtkutil.c will only call memory_full when there is 2^31 (about 2 billion) scroll bars in Emacs. Isn't it overengineering to check for that case? In xgselect.c: + int gfds_size_max = + min (INT_MAX, min (PTRDIFF_MAX, SIZE_MAX) / sizeof *gfds); Here a compile time constant is recalculated inside a loop. The xgselect.c is also overengineering IMHO. The number checked represents the number of file descriptor sources Glib is checking. I can understand checking sizes for strings that come from external sources, but only code adds file descriptor sources. If some bug causes the addition of 2 billion sources, a crash would be fine by me. Actually better than memory_full, because the core is much more useful. I haven't looked at the other files. I hope to find time to look at xselect.c at least. Jan D.