* bug#30004: 27.0.50; call-interactively reads uninitialized memory
@ 2018-01-06 11:31 Philipp
2018-01-06 15:56 ` Eli Zaretskii
0 siblings, 1 reply; 4+ messages in thread
From: Philipp @ 2018-01-06 11:31 UTC (permalink / raw)
To: 30004
When passing a byte that would start a multibyte sequence,
`call-interactively` uses STRING_CHAR without checking whether the
entire multibyte sequence is actually part of the string. For example:
$ emacs -batch -nw -Q -eval '(call-interactively (lambda () (interactive "\xFF")))'
Invalid control letter ‘’ (#o775776, #x3fbfe) in interactive calling string
In GNU Emacs 27.0.50 (build 4, x86_64-apple-darwin17.3.0, NS appkit-1561.20 Version 10.13.2 (Build 17C88))
of 2018-01-02 built on p
Repository revision: 1330afd3debc5a0d5d7d58a5db3f73f84b04be26
Windowing system distributor 'Apple', version 10.3.1561
System Description: Mac OS X 10.13.2
Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS JSON
Important settings:
value of $LANG: de_DE.UTF-8
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message rmc puny seq byte-opt gv
bytecomp byte-compile cconv cl-loaddefs cl-lib dired dired-loaddefs
format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg
epg-config gnus-util rmail rmail-loaddefs mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils elec-pair time-date
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/ns-win ns-win ucs-normalize mule-util term/common-win
tool-bar dnd fontset image regexp-opt fringe tabulated-list replace
newcomment text-mode elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core term/tty-colors frame cl-generic
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech
european ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote kqueue cocoa ns
multi-tty make-network-process emacs)
Memory information:
((conses 16 204460 8792)
(symbols 48 20150 1)
(miscs 40 43 191)
(strings 32 28872 1632)
(string-bytes 1 770467)
(vectors 16 35128)
(vector-slots 8 719016 12086)
(floats 8 48 68)
(intervals 56 197 0)
(buffers 992 11))
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#30004: 27.0.50; call-interactively reads uninitialized memory
2018-01-06 11:31 bug#30004: 27.0.50; call-interactively reads uninitialized memory Philipp
@ 2018-01-06 15:56 ` Eli Zaretskii
2018-01-06 16:03 ` Philipp Stephani
0 siblings, 1 reply; 4+ messages in thread
From: Eli Zaretskii @ 2018-01-06 15:56 UTC (permalink / raw)
To: Philipp; +Cc: 30004
> From: Philipp <p.stephani2@gmail.com>
> Date: Sat, 06 Jan 2018 12:31:51 +0100
>
> When passing a byte that would start a multibyte sequence,
> `call-interactively` uses STRING_CHAR without checking whether the
> entire multibyte sequence is actually part of the string. For example:
>
> $ emacs -batch -nw -Q -eval '(call-interactively (lambda () (interactive "\xFF")))'
> Invalid control letter ‘’ (#o775776, #x3fbfe) in interactive calling string
Thanks for catching this. Does the patch below fix this?
diff --git a/src/callint.c b/src/callint.c
index ef22851..ede9a02 100644
--- a/src/callint.c
+++ b/src/callint.c
@@ -774,10 +774,18 @@ invoke it. If KEYS is omitted or nil, the return value of
if anyone tries to define one here. */
case '+':
default:
- error ("Invalid control letter `%c' (#o%03o, #x%04x) in interactive calling string",
- STRING_CHAR ((unsigned char *) tem),
- (unsigned) STRING_CHAR ((unsigned char *) tem),
- (unsigned) STRING_CHAR ((unsigned char *) tem));
+ {
+ ptrdiff_t bytes_left = SBYTES (specs) - (tem - string);
+ unsigned letter;
+
+ if (bytes_left >= BYTES_BY_CHAR_HEAD (*((unsigned char *) tem)))
+ letter = STRING_CHAR ((unsigned char *) tem);
+ else
+ letter = *((unsigned char *) tem);
+
+ error ("Invalid control letter `%c' (#o%03o, #x%04x) in interactive calling string",
+ (int) letter, letter, letter);
+ }
}
if (varies[i] == 0)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* bug#30004: 27.0.50; call-interactively reads uninitialized memory
2018-01-06 15:56 ` Eli Zaretskii
@ 2018-01-06 16:03 ` Philipp Stephani
2018-01-06 16:26 ` Eli Zaretskii
0 siblings, 1 reply; 4+ messages in thread
From: Philipp Stephani @ 2018-01-06 16:03 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 30004
[-- Attachment #1: Type: text/plain, Size: 703 bytes --]
Eli Zaretskii <eliz@gnu.org> schrieb am Sa., 6. Jan. 2018 um 16:56 Uhr:
> > From: Philipp <p.stephani2@gmail.com>
> > Date: Sat, 06 Jan 2018 12:31:51 +0100
> >
> > When passing a byte that would start a multibyte sequence,
> > `call-interactively` uses STRING_CHAR without checking whether the
> > entire multibyte sequence is actually part of the string. For example:
> >
> > $ emacs -batch -nw -Q -eval '(call-interactively (lambda () (interactive
> "\xFF")))'
> > Invalid control letter ‘’ (#o775776, #x3fbfe) in interactive calling
> string
>
> Thanks for catching this. Does the patch below fix this?
>
>
Yes, with that patch Valgrind doesn't find any errors any more.
[-- Attachment #2: Type: text/html, Size: 1099 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#30004: 27.0.50; call-interactively reads uninitialized memory
2018-01-06 16:03 ` Philipp Stephani
@ 2018-01-06 16:26 ` Eli Zaretskii
0 siblings, 0 replies; 4+ messages in thread
From: Eli Zaretskii @ 2018-01-06 16:26 UTC (permalink / raw)
To: Philipp Stephani; +Cc: 30004-done
> From: Philipp Stephani <p.stephani2@gmail.com>
> Date: Sat, 06 Jan 2018 16:03:44 +0000
> Cc: 30004@debbugs.gnu.org
>
> Eli Zaretskii <eliz@gnu.org> schrieb am Sa., 6. Jan. 2018 um 16:56 Uhr:
>
> > From: Philipp <p.stephani2@gmail.com>
> > Date: Sat, 06 Jan 2018 12:31:51 +0100
> >
> > When passing a byte that would start a multibyte sequence,
> > `call-interactively` uses STRING_CHAR without checking whether the
> > entire multibyte sequence is actually part of the string. For example:
> >
> > $ emacs -batch -nw -Q -eval '(call-interactively (lambda () (interactive "\xFF")))'
> > Invalid control letter ‘’ (#o775776, #x3fbfe) in interactive calling string
>
> Thanks for catching this. Does the patch below fix this?
>
> Yes, with that patch Valgrind doesn't find any errors any more.
Thanks, pushed to the emacs-26 branch.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-01-06 16:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-06 11:31 bug#30004: 27.0.50; call-interactively reads uninitialized memory Philipp
2018-01-06 15:56 ` Eli Zaretskii
2018-01-06 16:03 ` Philipp Stephani
2018-01-06 16:26 ` Eli Zaretskii
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).