* bug#72245: [PATCH] Fix integer overflow when reading XPM
@ 2024-07-22 14:35 Stefan Kangas
2024-07-22 15:01 ` Eli Zaretskii
2024-07-23 2:06 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 2 replies; 17+ messages in thread
From: Stefan Kangas @ 2024-07-22 14:35 UTC (permalink / raw)
To: 72245
[-- Attachment #1: Type: text/plain, Size: 172 bytes --]
Severity: minor
Since XPM files are untrusted input, I think we'd better handle integer
overflow when parsing it, in case the file is malformed.
Proposed patch attached.
[-- Attachment #2: 0001-Fix-integer-overflow-when-reading-XPM.patch --]
[-- Type: text/x-patch, Size: 2111 bytes --]
From 2aa0e1ac9705201939b30a8ca39b3354cbd62a8e Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Mon, 22 Jul 2024 16:00:30 +0200
Subject: [PATCH] Fix integer overflow when reading XPM
* src/image.c (xpm_str_to_int): New function.
(xpm_load_image): Avoid integer overflow when reading XPM by replacing
sscanf with strtol, to correctly handle integer overflow when reading a
malformed XPM file.
---
src/image.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/src/image.c b/src/image.c
index 90e6312e128..d8a8dc57ea9 100644
--- a/src/image.c
+++ b/src/image.c
@@ -19,6 +19,7 @@ Copyright (C) 1989-2024 Free Software Foundation, Inc.
#include <config.h>
+#include <errno.h>
#include <fcntl.h>
#include <math.h>
#include <unistd.h>
@@ -6254,6 +6255,27 @@ xpm_str_to_color_key (const char *s)
return -1;
}
+static int
+xpm_str_to_int (char **buf)
+{
+ char *p;
+
+ errno = 0;
+ long result = strtol (*buf, &p, 10);
+ if (p == *buf || errno == ERANGE || errno == EINVAL
+ || result < INT_MIN || result > INT_MAX)
+ return -1;
+
+ /* Error out if we see something like "12x3xyz". */
+ if (!c_isspace (*p) && *p != '\0')
+ return -1;
+
+ /* Update position to read next integer. */
+ *buf = p;
+
+ return (int)result;
+}
+
static bool
xpm_load_image (struct frame *f,
struct image *img,
@@ -6311,10 +6333,14 @@ #define expect_ident(IDENT) \
goto failure;
memcpy (buffer, beg, len);
buffer[len] = '\0';
- if (sscanf (buffer, "%d %d %d %d", &width, &height,
- &num_colors, &chars_per_pixel) != 4
- || width <= 0 || height <= 0
- || num_colors <= 0 || chars_per_pixel <= 0)
+ char *next_int = buffer;
+ if ((width = xpm_str_to_int (&next_int)) <= 0)
+ goto failure;
+ if ((height = xpm_str_to_int (&next_int)) <= 0)
+ goto failure;
+ if ((num_colors = xpm_str_to_int (&next_int)) <= 0)
+ goto failure;
+ if ((chars_per_pixel = xpm_str_to_int (&next_int)) <= 0)
goto failure;
if (!check_image_size (f, width, height))
--
2.45.2
^ permalink raw reply related [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-22 14:35 bug#72245: [PATCH] Fix integer overflow when reading XPM Stefan Kangas
@ 2024-07-22 15:01 ` Eli Zaretskii
2024-07-22 15:39 ` Paul Eggert
2024-07-23 2:06 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
1 sibling, 1 reply; 17+ messages in thread
From: Eli Zaretskii @ 2024-07-22 15:01 UTC (permalink / raw)
To: Stefan Kangas, Paul Eggert; +Cc: 72245
> From: Stefan Kangas <stefankangas@gmail.com>
> Date: Mon, 22 Jul 2024 07:35:55 -0700
>
> Since XPM files are untrusted input, I think we'd better handle integer
> overflow when parsing it, in case the file is malformed.
>
> Proposed patch attached.
Thanks.
Paul, any comments or suggestions?
> From 2aa0e1ac9705201939b30a8ca39b3354cbd62a8e Mon Sep 17 00:00:00 2001
> From: Stefan Kangas <stefankangas@gmail.com>
> Date: Mon, 22 Jul 2024 16:00:30 +0200
> Subject: [PATCH] Fix integer overflow when reading XPM
>
> * src/image.c (xpm_str_to_int): New function.
> (xpm_load_image): Avoid integer overflow when reading XPM by replacing
> sscanf with strtol, to correctly handle integer overflow when reading a
> malformed XPM file.
> ---
> src/image.c | 34 ++++++++++++++++++++++++++++++----
> 1 file changed, 30 insertions(+), 4 deletions(-)
>
> diff --git a/src/image.c b/src/image.c
> index 90e6312e128..d8a8dc57ea9 100644
> --- a/src/image.c
> +++ b/src/image.c
> @@ -19,6 +19,7 @@ Copyright (C) 1989-2024 Free Software Foundation, Inc.
>
> #include <config.h>
>
> +#include <errno.h>
> #include <fcntl.h>
> #include <math.h>
> #include <unistd.h>
> @@ -6254,6 +6255,27 @@ xpm_str_to_color_key (const char *s)
> return -1;
> }
>
> +static int
> +xpm_str_to_int (char **buf)
> +{
> + char *p;
> +
> + errno = 0;
> + long result = strtol (*buf, &p, 10);
> + if (p == *buf || errno == ERANGE || errno == EINVAL
> + || result < INT_MIN || result > INT_MAX)
> + return -1;
> +
> + /* Error out if we see something like "12x3xyz". */
> + if (!c_isspace (*p) && *p != '\0')
> + return -1;
> +
> + /* Update position to read next integer. */
> + *buf = p;
> +
> + return (int)result;
> +}
> +
> static bool
> xpm_load_image (struct frame *f,
> struct image *img,
> @@ -6311,10 +6333,14 @@ #define expect_ident(IDENT) \
> goto failure;
> memcpy (buffer, beg, len);
> buffer[len] = '\0';
> - if (sscanf (buffer, "%d %d %d %d", &width, &height,
> - &num_colors, &chars_per_pixel) != 4
> - || width <= 0 || height <= 0
> - || num_colors <= 0 || chars_per_pixel <= 0)
> + char *next_int = buffer;
> + if ((width = xpm_str_to_int (&next_int)) <= 0)
> + goto failure;
> + if ((height = xpm_str_to_int (&next_int)) <= 0)
> + goto failure;
> + if ((num_colors = xpm_str_to_int (&next_int)) <= 0)
> + goto failure;
> + if ((chars_per_pixel = xpm_str_to_int (&next_int)) <= 0)
> goto failure;
>
> if (!check_image_size (f, width, height))
> --
> 2.45.2
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-22 15:01 ` Eli Zaretskii
@ 2024-07-22 15:39 ` Paul Eggert
2024-07-22 15:48 ` Stefan Kangas
0 siblings, 1 reply; 17+ messages in thread
From: Paul Eggert @ 2024-07-22 15:39 UTC (permalink / raw)
To: Eli Zaretskii, Stefan Kangas; +Cc: 72245
On 2024-07-22 08:01, Eli Zaretskii wrote:
> + if (p == *buf || errno == ERANGE || errno == EINVAL
This should be:
if (errno || p == *buf
as other errors are possible at least in theory, and p might be
uninitialized on error.
>> + return (int)result;
As a style matter this cast does more harm than good, as it will
suppress a static check if 'result' happens to be a pointer type, and it
could suppress a dynamic check on some debugging-oriented systems. I
would say just 'return result;'.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-22 15:39 ` Paul Eggert
@ 2024-07-22 15:48 ` Stefan Kangas
0 siblings, 0 replies; 17+ messages in thread
From: Stefan Kangas @ 2024-07-22 15:48 UTC (permalink / raw)
To: Paul Eggert, Eli Zaretskii; +Cc: 72245
[-- Attachment #1: Type: text/plain, Size: 651 bytes --]
Paul Eggert <eggert@cs.ucla.edu> writes:
> On 2024-07-22 08:01, Eli Zaretskii wrote:
>> + if (p == *buf || errno == ERANGE || errno == EINVAL
>
> This should be:
>
> if (errno || p == *buf
>
> as other errors are possible at least in theory, and p might be
> uninitialized on error.
>
>>> + return (int)result;
>
> As a style matter this cast does more harm than good, as it will
> suppress a static check if 'result' happens to be a pointer type, and it
> could suppress a dynamic check on some debugging-oriented systems. I
> would say just 'return result;'.
Thanks for reviewing.
I've attached an updated patch with your proposed changes.
[-- Attachment #2: 0001-Fix-integer-overflow-when-reading-XPM.patch --]
[-- Type: text/x-patch, Size: 2069 bytes --]
From 6444e4bbd0c5a3af1e7914b6dafaa5b9eb0cfad6 Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Mon, 22 Jul 2024 16:00:30 +0200
Subject: [PATCH] Fix integer overflow when reading XPM
* src/image.c (xpm_str_to_int): New function.
(xpm_load_image): Avoid integer overflow when reading XPM by replacing
sscanf with strtol, to correctly handle integer overflow when reading a
malformed XPM file.
---
src/image.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/src/image.c b/src/image.c
index 90e6312e128..464e4567de2 100644
--- a/src/image.c
+++ b/src/image.c
@@ -19,6 +19,7 @@ Copyright (C) 1989-2024 Free Software Foundation, Inc.
#include <config.h>
+#include <errno.h>
#include <fcntl.h>
#include <math.h>
#include <unistd.h>
@@ -6254,6 +6255,26 @@ xpm_str_to_color_key (const char *s)
return -1;
}
+static int
+xpm_str_to_int (char **buf)
+{
+ char *p;
+
+ errno = 0;
+ long result = strtol (*buf, &p, 10);
+ if (errno || p == *buf || result < INT_MIN || result > INT_MAX)
+ return -1;
+
+ /* Error out if we see something like "12x3xyz". */
+ if (!c_isspace (*p) && *p != '\0')
+ return -1;
+
+ /* Update position to read next integer. */
+ *buf = p;
+
+ return result;
+}
+
static bool
xpm_load_image (struct frame *f,
struct image *img,
@@ -6311,10 +6332,14 @@ #define expect_ident(IDENT) \
goto failure;
memcpy (buffer, beg, len);
buffer[len] = '\0';
- if (sscanf (buffer, "%d %d %d %d", &width, &height,
- &num_colors, &chars_per_pixel) != 4
- || width <= 0 || height <= 0
- || num_colors <= 0 || chars_per_pixel <= 0)
+ char *next_int = buffer;
+ if ((width = xpm_str_to_int (&next_int)) <= 0)
+ goto failure;
+ if ((height = xpm_str_to_int (&next_int)) <= 0)
+ goto failure;
+ if ((num_colors = xpm_str_to_int (&next_int)) <= 0)
+ goto failure;
+ if ((chars_per_pixel = xpm_str_to_int (&next_int)) <= 0)
goto failure;
if (!check_image_size (f, width, height))
--
2.45.2
^ permalink raw reply related [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-22 14:35 bug#72245: [PATCH] Fix integer overflow when reading XPM Stefan Kangas
2024-07-22 15:01 ` Eli Zaretskii
@ 2024-07-23 2:06 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 3:04 ` Stefan Kangas
1 sibling, 1 reply; 17+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-07-23 2:06 UTC (permalink / raw)
To: Stefan Kangas; +Cc: 72245
Stefan Kangas <stefankangas@gmail.com> writes:
> Severity: minor
>
> Since XPM files are untrusted input, I think we'd better handle
> integer
> overflow when parsing it, in case the file is malformed.
>
> Proposed patch attached.
What are the security implications of accepting whatever scanf produces
in the event of an overflow?
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 2:06 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2024-07-23 3:04 ` Stefan Kangas
2024-07-23 3:41 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 1 reply; 17+ messages in thread
From: Stefan Kangas @ 2024-07-23 3:04 UTC (permalink / raw)
To: Po Lu; +Cc: 72245
Po Lu <luangruo@yahoo.com> writes:
> Stefan Kangas <stefankangas@gmail.com> writes:
>
>> Severity: minor
>>
>> Since XPM files are untrusted input, I think we'd better handle
>> integer
>> overflow when parsing it, in case the file is malformed.
>>
>> Proposed patch attached.
>
> What are the security implications of accepting whatever scanf produces
> in the event of an overflow?
There is a good summary here:
https://cwe.mitre.org/data/definitions/190.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 3:04 ` Stefan Kangas
@ 2024-07-23 3:41 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 4:12 ` Stefan Kangas
0 siblings, 1 reply; 17+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-07-23 3:41 UTC (permalink / raw)
To: Stefan Kangas; +Cc: 72245
Stefan Kangas <stefankangas@gmail.com> writes:
> Po Lu <luangruo@yahoo.com> writes:
>
>> Stefan Kangas <stefankangas@gmail.com> writes:
>>
>>> Severity: minor
>>>
>>> Since XPM files are untrusted input, I think we'd better handle
>>> integer
>>> overflow when parsing it, in case the file is malformed.
>>>
>>> Proposed patch attached.
>>
>> What are the security implications of accepting whatever scanf produces
>> in the event of an overflow?
>
> There is a good summary here:
>
> https://cwe.mitre.org/data/definitions/190.html
I'm asking which component of xpm_load_image is not adequately prepared
to reject excessive values of these image dimension fields, for the
immediately adjacent statements verify that width, height, num_colors,
and chars_per_pixel are not invalid. Otherwise I can find no reason to
substantially reinvent the wheel and complicate image.c with a pedantic
10-line function for reading numbers with overflow checking,
implementations of which already abound in that file in one shape or
another.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 3:41 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2024-07-23 4:12 ` Stefan Kangas
2024-07-23 4:45 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 1 reply; 17+ messages in thread
From: Stefan Kangas @ 2024-07-23 4:12 UTC (permalink / raw)
To: Po Lu; +Cc: 72245
Po Lu <luangruo@yahoo.com> writes:
> Otherwise I can find no reason to substantially reinvent the wheel and
> complicate image.c with a pedantic 10-line function for reading
> numbers with overflow checking, implementations of which already
> abound in that file in one shape or another.
Thanks, but this diatribe doesn't really help. If you think you can do
a better job, then fine by me. Please show us the patch.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 4:12 ` Stefan Kangas
@ 2024-07-23 4:45 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 14:51 ` Stefan Kangas
0 siblings, 1 reply; 17+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-07-23 4:45 UTC (permalink / raw)
To: Stefan Kangas; +Cc: 72245
Stefan Kangas <stefankangas@gmail.com> writes:
> Po Lu <luangruo@yahoo.com> writes:
>
>> Otherwise I can find no reason to substantially reinvent the wheel and
>> complicate image.c with a pedantic 10-line function for reading
>> numbers with overflow checking, implementations of which already
>> abound in that file in one shape or another.
>
> Thanks, but this diatribe doesn't really help. If you think you can do
> a better job, then fine by me. Please show us the patch.
I'm saying that there is nothing to be done. This change is needless,
and the report should be closed, whatever opinions the security theater
might hold on the matter.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 4:45 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2024-07-23 14:51 ` Stefan Kangas
2024-07-23 15:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
` (2 more replies)
0 siblings, 3 replies; 17+ messages in thread
From: Stefan Kangas @ 2024-07-23 14:51 UTC (permalink / raw)
To: Po Lu; +Cc: 72245
Po Lu <luangruo@yahoo.com> writes:
> I'm saying that there is nothing to be done. This change is needless,
> and the report should be closed, whatever opinions the security theater
> might hold on the matter.
I wasn't the one that started a subthread about security. You did.
The primary consideration here is correctness. Undefined behaviour is
generally undesirable, and is a source of both bugs and security issues
in the wild. This is not "security theater", but a fact. No amount of
handwaving or throwing expletives around will make it go away.
That said, since you are asking, we are indeed discussing security
sensitive code, that is executed without prompting, for example, when
users receive emails or browse the web. We are also discussing image
processing, an area that is notorious for the bugs and security issues
that tend to lurk in its many complexities. On the CWE-190 page that I
linked, there are several examples of integer overflow in image
processing that has lead to very real exploits. This is not some
academic issue.
Whether or not anyone has demonstrated that Emacs can be exploited using
this vector frankly misses the point. Let's start with making Emacs
behave correctly and predictably in the face of invalid input. This
really is the bare minimum. Then we can discuss whether or not we have
more work to do, security implications, and all the rest of it.
XPM being a relatively simple format, I'm sure that this code can be
fully audited. I invite you to do so, and I'm hoping that this will
reveal that your faith in this code is well-founded. Meanwhile, I
reported an unrelated crash in XPM image processing in Bug#72255.
Since we don't have an alternative patch, I will install the one I
proposed in the next couple of days. Thanks.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 14:51 ` Stefan Kangas
@ 2024-07-23 15:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 15:39 ` Eli Zaretskii
2024-07-23 15:33 ` Eli Zaretskii
2024-09-01 11:20 ` Stefan Kangas
2 siblings, 1 reply; 17+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-07-23 15:15 UTC (permalink / raw)
To: Stefan Kangas; +Cc: 72245
Stefan Kangas <stefankangas@gmail.com> writes:
> Po Lu <luangruo@yahoo.com> writes:
>
>> I'm saying that there is nothing to be done. This change is needless,
>> and the report should be closed, whatever opinions the security theater
>> might hold on the matter.
>
> I wasn't the one that started a subthread about security. You did.
>
> The primary consideration here is correctness. Undefined behaviour is
> generally undesirable, and is a source of both bugs and security issues
> in the wild. This is not "security theater", but a fact. No amount of
> handwaving or throwing expletives around will make it go away.
Why don't you begin by deleteing the undefined behavior in mark_memory?
By definition, after having executed undefined behavior once, all of the
future behavior of a C program becomes undefined. For this reason
alone, it is meaningless to speak of undefined behavior in Emacs, only
whether specific behavior produces _actual_ crashes or corruption.
> That said, since you are asking, we are indeed discussing security
> sensitive code, that is executed without prompting, for example, when
> users receive emails or browse the web. We are also discussing image
> processing, an area that is notorious for the bugs and security issues
> that tend to lurk in its many complexities. On the CWE-190 page that I
> linked, there are several examples of integer overflow in image
> processing that has lead to very real exploits. This is not some
> academic issue.
>
> Whether or not anyone has demonstrated that Emacs can be exploited using
> this vector frankly misses the point. Let's start with making Emacs
> behave correctly and predictably in the face of invalid input. This
> really is the bare minimum. Then we can discuss whether or not we have
> more work to do, security implications, and all the rest of it.
It behaves as correctly and predictably as it should: it does not crash.
> XPM being a relatively simple format, I'm sure that this code can be
> fully audited. I invite you to do so, and I'm hoping that this will
> reveal that your faith in this code is well-founded. Meanwhile, I
> reported an unrelated crash in XPM image processing in Bug#72255.
>
> Since we don't have an alternative patch, I will install the one I
> proposed in the next couple of days. Thanks.
It is correctly implemented as it stands. You are essentially proposing
to have code that has not posed difficulties be needlessly complicated
with ugly pedantic error-checking.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 14:51 ` Stefan Kangas
2024-07-23 15:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2024-07-23 15:33 ` Eli Zaretskii
2024-07-23 17:39 ` Andreas Schwab
2024-07-23 21:39 ` Stefan Kangas
2024-09-01 11:20 ` Stefan Kangas
2 siblings, 2 replies; 17+ messages in thread
From: Eli Zaretskii @ 2024-07-23 15:33 UTC (permalink / raw)
To: Stefan Kangas; +Cc: luangruo, 72245
> Cc: 72245@debbugs.gnu.org
> From: Stefan Kangas <stefankangas@gmail.com>
> Date: Tue, 23 Jul 2024 07:51:29 -0700
>
> That said, since you are asking, we are indeed discussing security
> sensitive code, that is executed without prompting, for example, when
> users receive emails or browse the web.
Only in some MUAs, yes? For example, Rmail doesn't by default show
the images (or any other attachments), it requires a user action to do
so.
> XPM being a relatively simple format, I'm sure that this code can be
> fully audited. I invite you to do so, and I'm hoping that this will
> reveal that your faith in this code is well-founded. Meanwhile, I
> reported an unrelated crash in XPM image processing in Bug#72255.
That file doesn't cause a crash on MS-Windows, FWIW, but the code
which processes XPM images in Emacs on Windows is very different.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 15:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2024-07-23 15:39 ` Eli Zaretskii
0 siblings, 0 replies; 17+ messages in thread
From: Eli Zaretskii @ 2024-07-23 15:39 UTC (permalink / raw)
To: Po Lu; +Cc: 72245, stefankangas
> Cc: 72245@debbugs.gnu.org
> Date: Tue, 23 Jul 2024 23:15:09 +0800
> From: Po Lu via "Bug reports for GNU Emacs,
> the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
>
> > Since we don't have an alternative patch, I will install the one I
> > proposed in the next couple of days. Thanks.
>
> It is correctly implemented as it stands. You are essentially proposing
> to have code that has not posed difficulties be needlessly complicated
> with ugly pedantic error-checking.
This crosses the line. Stefan is one of the Emacs co-maintainers, and
as such, it's his prerogative to decide to install code changes. You
have made your point, and abundantly so. Your opinions have been
heard and overruled. Please accept that. There's no need and no
point to say what you think time and again, let alone in harsh words.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 15:33 ` Eli Zaretskii
@ 2024-07-23 17:39 ` Andreas Schwab
2024-07-23 17:54 ` Eli Zaretskii
2024-07-23 21:39 ` Stefan Kangas
1 sibling, 1 reply; 17+ messages in thread
From: Andreas Schwab @ 2024-07-23 17:39 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: luangruo, 72245, Stefan Kangas
On Jul 23 2024, Eli Zaretskii wrote:
> That file doesn't cause a crash on MS-Windows, FWIW, but the code
> which processes XPM images in Emacs on Windows is very different.
The absence of a crash does not prove anything, though.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 17:39 ` Andreas Schwab
@ 2024-07-23 17:54 ` Eli Zaretskii
0 siblings, 0 replies; 17+ messages in thread
From: Eli Zaretskii @ 2024-07-23 17:54 UTC (permalink / raw)
To: Andreas Schwab; +Cc: luangruo, 72245, stefankangas
> From: Andreas Schwab <schwab@linux-m68k.org>
> Cc: Stefan Kangas <stefankangas@gmail.com>, luangruo@yahoo.com,
> 72245@debbugs.gnu.org
> Date: Tue, 23 Jul 2024 19:39:16 +0200
>
> On Jul 23 2024, Eli Zaretskii wrote:
>
> > That file doesn't cause a crash on MS-Windows, FWIW, but the code
> > which processes XPM images in Emacs on Windows is very different.
>
> The absence of a crash does not prove anything, though.
It isn't the absence of a crash alone. I see an error message in
*Messages* saying the XPM image is invalid, and the window shows an
empty rectangle, as always with invalid images. So Emacs actually
detects that the image is invalid, announces that, and doesn't try to
show it on the screen.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 15:33 ` Eli Zaretskii
2024-07-23 17:39 ` Andreas Schwab
@ 2024-07-23 21:39 ` Stefan Kangas
1 sibling, 0 replies; 17+ messages in thread
From: Stefan Kangas @ 2024-07-23 21:39 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: luangruo, 72245
Eli Zaretskii <eliz@gnu.org> writes:
>> Cc: 72245@debbugs.gnu.org
>> From: Stefan Kangas <stefankangas@gmail.com>
>> Date: Tue, 23 Jul 2024 07:51:29 -0700
>>
>> That said, since you are asking, we are indeed discussing security
>> sensitive code, that is executed without prompting, for example, when
>> users receive emails or browse the web.
>
> Only in some MUAs, yes? For example, Rmail doesn't by default show
> the images (or any other attachments), it requires a user action to do
> so.
Yes, and it's presumably also dependent on user options.
I'd hope that most MUAs disable showing images by default (notmuch
does), but I didn't check.
^ permalink raw reply [flat|nested] 17+ messages in thread
* bug#72245: [PATCH] Fix integer overflow when reading XPM
2024-07-23 14:51 ` Stefan Kangas
2024-07-23 15:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 15:33 ` Eli Zaretskii
@ 2024-09-01 11:20 ` Stefan Kangas
2 siblings, 0 replies; 17+ messages in thread
From: Stefan Kangas @ 2024-09-01 11:20 UTC (permalink / raw)
To: 72245-done
Version: 31.1
Stefan Kangas <stefankangas@gmail.com> writes:
> Since we don't have an alternative patch, I will install the one I
> proposed in the next couple of days. Thanks.
Pushed to master as commit 73277a4097b. Closing.
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2024-09-01 11:20 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-22 14:35 bug#72245: [PATCH] Fix integer overflow when reading XPM Stefan Kangas
2024-07-22 15:01 ` Eli Zaretskii
2024-07-22 15:39 ` Paul Eggert
2024-07-22 15:48 ` Stefan Kangas
2024-07-23 2:06 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 3:04 ` Stefan Kangas
2024-07-23 3:41 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 4:12 ` Stefan Kangas
2024-07-23 4:45 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 14:51 ` Stefan Kangas
2024-07-23 15:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 15:39 ` Eli Zaretskii
2024-07-23 15:33 ` Eli Zaretskii
2024-07-23 17:39 ` Andreas Schwab
2024-07-23 17:54 ` Eli Zaretskii
2024-07-23 21:39 ` Stefan Kangas
2024-09-01 11:20 ` Stefan Kangas
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).