From: Juanma Barranquero <lekktu@gmail.com>
To: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: 9874@debbugs.gnu.org, Paul Eggert <eggert@cs.ucla.edu>
Subject: bug#9874: Fixes for several integer overflow and width issues
Date: Wed, 26 Oct 2011 16:26:41 +0200 [thread overview]
Message-ID: <CAAeL0SRxqnSA3wKRkHK3KhjMfi8N4qkTACX5Yk6zfMfjuw4PTg@mail.gmail.com> (raw)
In-Reply-To: <jwvipnb26d7.fsf-monnier+emacs@gnu.org>
> Thank you very much, but we're too far in the release process for such
> large patches, so it will have to wait for 24.2.
These bugs seem serious enough:
- On my Fedora 14 x86-64 host, (signal-process 4294967295 1)
crashes my entire login session, Emacs included, and leaves my
workstation in a corrupted state in which the screen
continually flashes a nonsense pattern and I cannot log in.
This bug occurs because Emacs incorrectly assumes that fixnums
fit into pid_t values, which is not true on typical 64-bit hosts.
- The following code makes Emacs dump core:
(progn
(setq code-conversion-map-vector 0)
(register-code-conversion-map 'x (make-vector 1 1)))
- (font-get-glyphs FONT-OBJECT FROM TO) goes beserk if TO - FROM
exceeds 2**31, and if you're lucky it dumps core.
- (modify-frame-parameters FRAME ALIST) can overrun the C stack
if ALIST is long.
- The Lisp reader mishandles syntax errors like '(#^^[]), causing
it to read storage that is out of bounds of an array. It also
mishandles '(#^^[4294967297 ...]), causing it to treat the
large integer as if it were 1.
- insert-file-contents overly trusts the inserted-char counts
returned by the hooks; they should be sanity checked, to avoid
the potential for calculating incorrect buffer offsets.
- concat mishandles some long strings. It checks for byte count
overflow in places where it should check for char count overflow,
and it misses some byte count overflows.
- (find-operation-coding-system 'write-region 1 2) has an
off-by-one error that causes it to access the garbage that
is one past its argument array.
* Callers to larger_vector often blindly multiply sizes by 2, which
can lead to integer overflow with large sizes. Change
larger_vector's API to make it easier check for size overflow when
growing a vector.
next prev parent reply other threads:[~2011-10-26 14:26 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-26 7:51 bug#9874: Fixes for several integer overflow and width issues Paul Eggert
2011-10-26 8:04 ` Andreas Schwab
2011-10-26 14:09 ` Stefan Monnier
2011-10-26 14:26 ` Juanma Barranquero [this message]
2011-10-26 17:02 ` David De La Harpe Golden
2011-10-26 17:16 ` Stefan Monnier
2011-10-26 19:22 ` Andreas Schwab
2011-10-27 6:33 ` Paul Eggert
2011-10-27 8:28 ` Andreas Schwab
2011-10-27 15:14 ` Paul Eggert
2012-04-09 23:38 ` Paul Eggert
2012-05-25 20:50 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAeL0SRxqnSA3wKRkHK3KhjMfi8N4qkTACX5Yk6zfMfjuw4PTg@mail.gmail.com \
--to=lekktu@gmail.com \
--cc=9874@debbugs.gnu.org \
--cc=eggert@cs.ucla.edu \
--cc=monnier@iro.umontreal.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).