bug#53333: Fix for crash in ebrowse

bug#53333: Fix for crash in ebrowse

[Jan Stranik via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Attachment #1: Type: text/plain, Size: 245 bytes --]

Hello --

attached is a patch to ebrowse. Noticed a one-off write error in case of
identifiers that are too long and need escaping. The patch prevents the
write to memory outside of allocated range which on my platform caused
segfault.

Best,



[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: ebrowse-emacs-27.2-fix.diff --]
[-- Type: text/x-diff, Size: 974 bytes --]

Dont crash on C source code (one off error)

The fix avoids one off error in case the last character in the buffer
needs to be escaped but there is not enough space in buffer to perform
the escape.

The change just simiply ignores the character in such case.

Author: Jan Stranik <jan@stranik.org>


*** /var/home/janstranik/src/emacs-27.2/lib-src/ebrowse.c~	2021-01-28 11:52:16.000000000 -0600
--- /var/home/janstranik/src/emacs-27.2/lib-src/ebrowse.c	2021-09-24 09:31:49.136287028 -0500
***************
*** 1924,1931 ****
      {
        *--s = *--t;
  
!       if (*s == '"' || *s == '\\')
!         *--s = '\\';
      }
  
    *(matching_regexp_end_buf - 1) = '\0';
--- 1924,1937 ----
      {
        *--s = *--t;
  
!       if (*s == '"' || *s == '\\') {
!           if (s > matching_regexp_buffer)
!               *--s = '\\';
!           else {
!               s++;
!               break;
!           }
!       }
      }
  
    *(matching_regexp_end_buf - 1) = '\0';

[-- Attachment #3: Type: text/plain, Size: 18 bytes --]


-- 

Jan Stranik

bug#53333: Fix for crash in ebrowse

[Eli Zaretskii]

> Date: Mon, 17 Jan 2022 17:35:36 -0500
> From:  Jan Stranik via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
> 
> attached is a patch to ebrowse. Noticed a one-off write error in case of
> identifiers that are too long and need escaping. The patch prevents the
> write to memory outside of allocated range which on my platform caused
> segfault.

Thanks, but can you explain the need for this part:

> !           else {
> !               s++;
> !               break;
> !           }
> !       }

Why do we need to advance the pointer 's' in the 'else' clause? why
not leave it alone?

Or maybe I will understand the reason if you show some simple code
that hits this problem (which would be a good thing of its own, as
we'd then have a test to add to our test suite)?

bug#53333: Fix for crash in ebrowse

[Jan Stranik via Bug reports for GNU Emacs, the Swiss army knife of text editors]

>
> Thanks, but can you explain the need for this part:
>
>> !           else {
>> !               s++;
>> !               break;
>> !           }
>> !       }
>
> Why do we need to advance the pointer 's' in the 'else' clause? why
> not leave it alone?

The identifier is copied from end to the buffer. As we are copying, we
want to escape quote and backslash characters. Normally if we encounter
any of these characters we just prepend \ to in front. If there is not
enough space in the buffer to insert the \, we should increase the s, to
back-out the character that we wanted to escape.

If we would not do that, the first character might not be escaped. If
that character were a quote, it would break the lisp expressions written
later to the BROWSE file.

> Or maybe I will understand the reason if you show some simple code
> that hits this problem (which would be a good thing of its own, as
> we'd then have a test to add to our test suite)?

I encountered this in a c++ header file with very long identifiers that
just filled the buffer but the first character had to be escaped.

-- 

Jan Stranik

bug#53333: Fix for crash in ebrowse

[Eli Zaretskii]

> From: Jan Stranik <jan@stranik.org>
> Cc: 53333@debbugs.gnu.org
> Date: Tue, 18 Jan 2022 20:32:55 -0500
> 
> >
> > Thanks, but can you explain the need for this part:
> >
> >> !           else {
> >> !               s++;
> >> !               break;
> >> !           }
> >> !       }
> >
> > Why do we need to advance the pointer 's' in the 'else' clause? why
> > not leave it alone?
> 
> The identifier is copied from end to the buffer. As we are copying, we
> want to escape quote and backslash characters. Normally if we encounter
> any of these characters we just prepend \ to in front. If there is not
> enough space in the buffer to insert the \, we should increase the s, to
> back-out the character that we wanted to escape.
> 
> If we would not do that, the first character might not be escaped. If
> that character were a quote, it would break the lisp expressions written
> later to the BROWSE file.

Thanks, I installed the change on the emacs-28 branch, and I'm marking
this bug done.

bug#53333: Fix for crash in ebrowse

[Jan Stranik via Bug reports for GNU Emacs, the Swiss army knife of text editors]

>
> Thanks, I installed the change on the emacs-28 branch, and I'm marking
> this bug done.

Thank you for pushing the change.

--

Jan Stranik