From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.bugs
Subject: bug#41936: 28.0.50; AREF: assert that the index is inside bounds
Date: Thu, 18 Jun 2020 14:06:31 -0700
Organization: UCLA Computer Science Department
Message-ID: <9b502c26-1406-9a38-fb25-177e59fc6388@cs.ucla.edu>
References: <87bllggml7.fsf@calancha-pc.dy.bbexcite.jp>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------E94B5D9223D64F8718A4F1F8"
Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202";
	logging-data="64626"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.8.0
Cc: 41936-done@debbugs.gnu.org, uyennhi.qm@gmail.com
To: Tino Calancha <tino.calancha@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Jun 18 23:08:21 2020
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1jm1ll-000Gms-64
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 18 Jun 2020 23:08:21 +0200
Original-Received: from localhost ([::1]:42682 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1jm1lk-0004lH-7j
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 18 Jun 2020 17:08:20 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:37116)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jm1kU-0003OW-7K
 for bug-gnu-emacs@gnu.org; Thu, 18 Jun 2020 17:07:02 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:42954)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jm1kT-0002Ns-UA
 for bug-gnu-emacs@gnu.org; Thu, 18 Jun 2020 17:07:01 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jm1kT-0002ze-P1
 for bug-gnu-emacs@gnu.org; Thu, 18 Jun 2020 17:07:01 -0400
Resent-From: Paul Eggert <eggert@cs.ucla.edu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 18 Jun 2020 21:07:01 +0000
Resent-Message-ID: <handler.41936.D41936.159251440111473.done@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: cc-closed 41936
X-GNU-PR-Package: emacs
Mail-Followup-To: 41936@debbugs.gnu.org, eggert@cs.ucla.edu,
 tino.calancha@gmail.com
Original-Received: via spool by 41936-done@debbugs.gnu.org id=D41936.159251440111473
 (code D ref 41936); Thu, 18 Jun 2020 21:07:01 +0000
Original-Received: (at 41936-done) by debbugs.gnu.org; 18 Jun 2020 21:06:41 +0000
Original-Received: from localhost ([127.0.0.1]:54498 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1jm1k9-0002yz-9q
 for submit@debbugs.gnu.org; Thu, 18 Jun 2020 17:06:41 -0400
Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:33992)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@cs.ucla.edu>) id 1jm1k7-0002ym-8P
 for 41936-done@debbugs.gnu.org; Thu, 18 Jun 2020 17:06:39 -0400
Original-Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 815831600E1;
 Thu, 18 Jun 2020 14:06:33 -0700 (PDT)
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id VEWUm-ytArY8; Thu, 18 Jun 2020 14:06:32 -0700 (PDT)
Original-Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 9A43C1600E3;
 Thu, 18 Jun 2020 14:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id ph4PGZmoTk_N; Thu, 18 Jun 2020 14:06:32 -0700 (PDT)
Original-Received: from [192.168.1.9] (cpe-23-242-74-103.socal.res.rr.com
 [23.242.74.103])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id E28961600E1;
 Thu, 18 Jun 2020 14:06:31 -0700 (PDT)
Autocrypt: addr=eggert@cs.ucla.edu; prefer-encrypt=mutual; keydata=
 LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUlOQkV5QWNtUUJFQURB
 QXlIMnhvVHU3cHBHNUQzYThGTVpFb243NGRDdmM0K3ExWEEySjJ0QnkycHdhVHFmCmhweHhk
 R0E5Smo1MFVKM1BENGJTVUVnTjh0TFowc2FuNDdsNVhUQUZMaTI0NTZjaVNsNW04c0thSGxH
 ZHQ5WG0KQUF0bVhxZVpWSVlYL1VGUzk2ZkR6ZjR4aEVtbS95N0xiWUVQUWRVZHh1NDd4QTVL
 aFRZcDVibHRGM1dZRHoxWQpnZDdneDA3QXV3cDdpdzdlTnZub0RUQWxLQWw4S1lEWnpiRE5D
 UUdFYnBZM2VmWkl2UGRlSStGV1FONFcra2doCnkrUDZhdTZQcklJaFlyYWV1YTdYRGRiMkxT
 MWVuM1NzbUUzUWpxZlJxSS9BMnVlOEpNd3N2WGUvV0szOEV6czYKeDc0aVRhcUkzQUZINmls
 QWhEcXBNbmQvbXNTRVNORnQ3NkRpTzFaS1FNcjlhbVZQa25qZlBtSklTcWRoZ0IxRApsRWR3
 MzRzUk9mNlY4bVp3MHhmcVQ2UEtFNDZMY0ZlZnpzMGtiZzRHT1JmOHZqRzJTZjF0azVlVThN
 Qml5Ti9iClowM2JLTmpOWU1wT0REUVF3dVA4NGtZTGtYMndCeHhNQWhCeHdiRFZadWR6eERa
 SjFDMlZYdWpDT0pWeHEya2wKakJNOUVUWXVVR3FkNzVBVzJMWHJMdzYrTXVJc0hGQVlBZ1Jy
 NytLY3dEZ0JBZndoU 
In-Reply-To: <87bllggml7.fsf@calancha-pc.dy.bbexcite.jp>
Content-Language: en-US
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:182147
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/182147>

This is a multi-part message in MIME format.
--------------E94B5D9223D64F8718A4F1F8
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 6/18/20 1:12 PM, Tino Calancha wrote:
> Is it OK for you to add the following patch?

Yes, good idea. I wondered a while ago (to myself) why AREF doesn't check
subscripts when Emacs is configured with --enable-checking. Now that I think
about it more, it's most likely because AREF was a macro and didn't want to
evaluate its index argument multiple times. We don't need to worry about that
any more.

aref_addr should have a similar check (off by one since one can address one past
the end of an array).

There's no need to change test/manual/etags/c-src/emacs/src/lisp.h as that's
just a data file (and changes can be harmful there as they can mess up the tests).

I installed the attached.

--------------E94B5D9223D64F8718A4F1F8
Content-Type: text/x-patch; charset=UTF-8;
 name="0001-Check-AREF-and-aref_addr-subscripts.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0001-Check-AREF-and-aref_addr-subscripts.patch"

>From e14eec7cd4a4217a0908a35415610e0fdb8604f0 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 18 Jun 2020 14:01:56 -0700
Subject: [PATCH] Check AREF and aref_addr subscripts

* src/lisp.h (gc_asize): Move before first use.
(AREF, aref_addr): Check subscripts.
Co-authored-by: Tino Calancha <tino.calancha@gmail.com>
---
 src/lisp.h | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/lisp.h b/src/lisp.h
index 3442699088..7b4f484b9b 100644
--- a/src/lisp.h
+++ b/src/lisp.h
@@ -1671,6 +1671,13 @@ ASIZE (Lisp_Object array)
   return size;
 }
 
+INLINE ptrdiff_t
+gc_asize (Lisp_Object array)
+{
+  /* Like ASIZE, but also can be used in the garbage collector.  */
+  return XVECTOR (array)->header.size & ~ARRAY_MARK_FLAG;
+}
+
 INLINE ptrdiff_t
 PVSIZE (Lisp_Object pv)
 {
@@ -1853,22 +1860,17 @@ bool_vector_set (Lisp_Object a, EMACS_INT i, bool b)
 INLINE Lisp_Object
 AREF (Lisp_Object array, ptrdiff_t idx)
 {
+  eassert (0 <= idx && idx < gc_asize (array));
   return XVECTOR (array)->contents[idx];
 }
 
 INLINE Lisp_Object *
 aref_addr (Lisp_Object array, ptrdiff_t idx)
 {
+  eassert (0 <= idx && idx <= gc_asize (array));
   return & XVECTOR (array)->contents[idx];
 }
 
-INLINE ptrdiff_t
-gc_asize (Lisp_Object array)
-{
-  /* Like ASIZE, but also can be used in the garbage collector.  */
-  return XVECTOR (array)->header.size & ~ARRAY_MARK_FLAG;
-}
-
 INLINE void
 ASET (Lisp_Object array, ptrdiff_t idx, Lisp_Object val)
 {
-- 
2.17.1


--------------E94B5D9223D64F8718A4F1F8--