From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Juanma Barranquero Newsgroups: gmane.emacs.bugs Subject: bug#9874: Fixes for several integer overflow and width issues Date: Wed, 26 Oct 2011 16:26:41 +0200 Message-ID: References: <4EA7BBE9.4020107@cs.ucla.edu> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: dough.gmane.org 1319639316 17009 80.91.229.12 (26 Oct 2011 14:28:36 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Wed, 26 Oct 2011 14:28:36 +0000 (UTC) Cc: 9874@debbugs.gnu.org, Paul Eggert To: Stefan Monnier Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Oct 26 16:28:32 2011 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RJ4T1-0006br-72 for geb-bug-gnu-emacs@m.gmane.org; Wed, 26 Oct 2011 16:28:31 +0200 Original-Received: from localhost ([::1]:42427 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RJ4T0-0004Dr-Ic for geb-bug-gnu-emacs@m.gmane.org; Wed, 26 Oct 2011 10:28:30 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:41968) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RJ4Sv-0004Dk-8E for bug-gnu-emacs@gnu.org; Wed, 26 Oct 2011 10:28:29 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RJ4Sp-0001EF-SE for bug-gnu-emacs@gnu.org; Wed, 26 Oct 2011 10:28:24 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:50312) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RJ4Sp-0001EA-PM for bug-gnu-emacs@gnu.org; Wed, 26 Oct 2011 10:28:19 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1RJ4UU-0005CM-Gj for bug-gnu-emacs@gnu.org; Wed, 26 Oct 2011 10:30:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Juanma Barranquero Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 26 Oct 2011 14:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 9874 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 9874-submit@debbugs.gnu.org id=B9874.131963935419901 (code B ref 9874); Wed, 26 Oct 2011 14:30:02 +0000 Original-Received: (at 9874) by debbugs.gnu.org; 26 Oct 2011 14:29:14 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1RJ4Th-0005Av-5z for submit@debbugs.gnu.org; Wed, 26 Oct 2011 10:29:14 -0400 Original-Received: from mail-vw0-f44.google.com ([209.85.212.44]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1RJ4Tf-0005Ak-F6 for 9874@debbugs.gnu.org; Wed, 26 Oct 2011 10:29:12 -0400 Original-Received: by vws5 with SMTP id 5so1478943vws.3 for <9874@debbugs.gnu.org>; Wed, 26 Oct 2011 07:27:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=vijmR2ZiT3Q2+UCIV/NQgRN5KT+PUsvbZzuskt6Jtac=; b=bWAx5b6aqchZHe6UxonUJFOuh1eGHbEp+geM9MaxS/Ynt0tbHpIAMzUB2SCpczTX/t HtNWt2t3w28iA3lkj7RZGX8T6lbM/PrsANy/0etimM6Itk+MgmkQKXQYPEQUAEPJz21L cRbO3tJrFL5gc83pXvo9ZD5R/3P0zKU0nwhQE= Original-Received: by 10.68.73.232 with SMTP id o8mr39782901pbv.82.1319639242537; Wed, 26 Oct 2011 07:27:22 -0700 (PDT) Original-Received: by 10.143.165.16 with HTTP; Wed, 26 Oct 2011 07:26:41 -0700 (PDT) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Wed, 26 Oct 2011 10:30:02 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:53152 Archived-At: > Thank you very much, but we're too far in the release process for such > large patches, so it will have to wait for 24.2. These bugs seem serious enough: - On my Fedora 14 x86-64 host, (signal-process 4294967295 1) crashes my entire login session, Emacs included, and leaves my workstation in a corrupted state in which the screen continually flashes a nonsense pattern and I cannot log in. This bug occurs because Emacs incorrectly assumes that fixnums fit into pid_t values, which is not true on typical 64-bit hosts. - The following code makes Emacs dump core: (progn (setq code-conversion-map-vector 0) (register-code-conversion-map 'x (make-vector 1 1))) - (font-get-glyphs FONT-OBJECT FROM TO) goes beserk if TO - FROM exceeds 2**31, and if you're lucky it dumps core. - (modify-frame-parameters FRAME ALIST) can overrun the C stack if ALIST is long. - The Lisp reader mishandles syntax errors like '(#^^[]), causing it to read storage that is out of bounds of an array. It also mishandles '(#^^[4294967297 ...]), causing it to treat the large integer as if it were 1. - insert-file-contents overly trusts the inserted-char counts returned by the hooks; they should be sanity checked, to avoid the potential for calculating incorrect buffer offsets. - concat mishandles some long strings. It checks for byte count overflow in places where it should check for char count overflow, and it misses some byte count overflows. - (find-operation-coding-system 'write-region 1 2) has an off-by-one error that causes it to access the garbage that is one past its argument array. * Callers to larger_vector often blindly multiply sizes by 2, which can lead to integer overflow with large sizes. Change larger_vector's API to make it easier check for size overflow when growing a vector.