From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Chong Yidong <cyd@stupidchicken.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#1380: 23.0.60; file content causes CVS emacs to crash
Date: Thu, 20 Nov 2008 02:36:31 -0500
Message-ID: <87myfuhmrk.fsf@cyd.mit.edu>
Reply-To: Chong Yidong <cyd@stupidchicken.com>, 1380@emacsbugs.donarmstrong.com
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1227167432 6259 80.91.229.12 (20 Nov 2008 07:50:32 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 20 Nov 2008 07:50:32 +0000 (UTC)
Cc: Ted Zlatanov <tzz@lifelogs.com>, 1380@emacsbugs.donarmstrong.com
To: Kenichi Handa  <handa@m17n.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Nov 20 08:51:33 2008
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1L34K2-0007Aq-V5
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 20 Nov 2008 08:51:31 +0100
Original-Received: from localhost ([127.0.0.1]:57421 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1L34It-0001c7-UI
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 20 Nov 2008 02:50:19 -0500
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1L34Iq-0001bs-9V
	for bug-gnu-emacs@gnu.org; Thu, 20 Nov 2008 02:50:16 -0500
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1L34In-0001bg-UZ
	for bug-gnu-emacs@gnu.org; Thu, 20 Nov 2008 02:50:14 -0500
Original-Received: from [199.232.76.173] (port=45632 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1L34In-0001bd-R6
	for bug-gnu-emacs@gnu.org; Thu, 20 Nov 2008 02:50:13 -0500
Original-Received: from mx20.gnu.org ([199.232.41.8]:11087)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <debbugs@rzlab.ucr.edu>)
	id 1L34In-0001bc-GT
	for bug-gnu-emacs@gnu.org; Thu, 20 Nov 2008 02:50:13 -0500
Original-Received: from rzlab.ucr.edu ([138.23.92.77])
	by mx20.gnu.org with esmtp (Exim 4.60)
	(envelope-from <debbugs@rzlab.ucr.edu>) id 1L34Im-00024p-7D
	for bug-gnu-emacs@gnu.org; Thu, 20 Nov 2008 02:50:12 -0500
Original-Received: from rzlab.ucr.edu (rzlab.ucr.edu [127.0.0.1])
	by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id mAK7o9cv029568; 
	Wed, 19 Nov 2008 23:50:09 -0800
Original-Received: (from debbugs@localhost)
	by rzlab.ucr.edu (8.13.8/8.13.8/Submit) id mAK7j3LH027674;
	Wed, 19 Nov 2008 23:45:03 -0800
X-Loop: don@donarmstrong.com
Resent-From: Chong Yidong <cyd@stupidchicken.com>
Resent-To: bug-submit-list@donarmstrong.com
Resent-CC: Emacs Bugs <bug-gnu-emacs@gnu.org>
Resent-Date: Thu, 20 Nov 2008 07:45:03 +0000
Resent-Message-ID: <handler.1380.B1380.122716657826324@emacsbugs.donarmstrong.com>
Resent-Sender: don@donarmstrong.com
X-Emacs-PR-Message: report 1380
X-Emacs-PR-Package: emacs
X-Emacs-PR-Keywords: 
Original-Received: via spool by 1380-submit@emacsbugs.donarmstrong.com
	id=B1380.122716657826324
	(code B ref 1380); Thu, 20 Nov 2008 07:45:03 +0000
Original-Received: (at 1380) by emacsbugs.donarmstrong.com; 20 Nov 2008 07:36:18 +0000
Original-Received: from cyd.mit.edu (CYD.MIT.EDU [18.115.2.24])
	by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id mAK7aFjx026315
	for <1380@emacsbugs.donarmstrong.com>; Wed, 19 Nov 2008 23:36:16 -0800
Original-Received: by cyd.mit.edu (Postfix, from userid 1000)
	id D750757E1D8; Thu, 20 Nov 2008 02:36:31 -0500 (EST)
X-detected-kernel: by mx20.gnu.org: Linux 2.6 (newer, 3)
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6,
	seldom 2.4 (older, 4)
Resent-Date: Thu, 20 Nov 2008 02:50:14 -0500
X-BeenThere: bug-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:22514
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/22514>

> The file content in a file causes Emacs to crash as soon as it's
> opened.  Tested with "emacs -q file".

Looks like the charbuf in the coding structure is overflowing.  The
following rough patch prevents this overflow and the crash, but maybe
there is a deeper bug.  The comments in coding.c:6610 says "We are sure
that the number of data is less than the size of coding->charbuf."  This
bug comes about due to that faile assumption.

Handa-san, what do you think?

*** trunk/src/coding.c.~1.394.~	2008-10-24 00:06:43.000000000 -0400
--- trunk/src/coding.c	2008-11-20 02:29:02.000000000 -0500
***************
*** 6617,6622 ****
--- 6617,6633 ----
  
  	      if (c & 0x80)
  		c = BYTE8_TO_CHAR (c);
+ 
+ 	      if (coding->charbuf_used >= coding->charbuf_size)
+ 		{
+ 		  int *old_charbuf = coding->charbuf;
+ 
+ 		  coding->charbuf_size *= 2;
+ 		  coding->charbuf = (int *) alloca (sizeof (int)
+ 						    * coding->charbuf_size);
+ 		  bcopy (old_charbuf, coding->charbuf, coding->charbuf_size);
+ 		}
+ 
  	      coding->charbuf[coding->charbuf_used++] = c;
  	    }
  	  produce_chars (coding, Qnil, 1);