From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Noam Postavsky <npostavs@users.sourceforge.net>
Newsgroups: gmane.emacs.bugs
Subject: bug#3552: 23.0.94;
	backward-prefix-chars: Point before start of properties
Date: Sat, 4 Jun 2016 09:35:02 -0400
Message-ID: <CAM-tV--UrGA4dV_LBZwZwzx99mq0Y+gPYtfnwPeAC1ZakHWvsQ@mail.gmail.com>
References: <yoijmy8cbena.fsf@remote2.student.chalmers.se>
	<CAM-tV-_tB0etPpPg=96yDb5a-cxV+pRac7L_cWtU-4HBzuymzw@mail.gmail.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Trace: ger.gmane.org 1465047387 8157 80.91.229.3 (4 Jun 2016 13:36:27 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 4 Jun 2016 13:36:27 +0000 (UTC)
To: 3552@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Jun 04 15:36:16 2016
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1b9BkN-0001zJ-BG
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 04 Jun 2016 15:36:15 +0200
Original-Received: from localhost ([::1]:60964 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1b9BkL-0004dW-Vu
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 04 Jun 2016 09:36:14 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36385)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9BkF-0004c5-0q
	for bug-gnu-emacs@gnu.org; Sat, 04 Jun 2016 09:36:08 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9BkA-0000yT-Q7
	for bug-gnu-emacs@gnu.org; Sat, 04 Jun 2016 09:36:05 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:41532)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9BkA-0000yP-LU
	for bug-gnu-emacs@gnu.org; Sat, 04 Jun 2016 09:36:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9BkA-0004z3-FK
	for bug-gnu-emacs@gnu.org; Sat, 04 Jun 2016 09:36:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Noam Postavsky <npostavs@users.sourceforge.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 04 Jun 2016 13:36:02 +0000
Resent-Message-ID: <handler.3552.B3552.146504731119096@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 3552
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: confirmed
Original-Received: via spool by 3552-submit@debbugs.gnu.org id=B3552.146504731119096
	(code B ref 3552); Sat, 04 Jun 2016 13:36:02 +0000
Original-Received: (at 3552) by debbugs.gnu.org; 4 Jun 2016 13:35:11 +0000
Original-Received: from localhost ([127.0.0.1]:53867 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1b9BjL-0004xv-22
	for submit@debbugs.gnu.org; Sat, 04 Jun 2016 09:35:11 -0400
Original-Received: from mail-oi0-f68.google.com ([209.85.218.68]:35749)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <npostavs@gmail.com>) id 1b9BjI-0004xb-IM
	for 3552@debbugs.gnu.org; Sat, 04 Jun 2016 09:35:08 -0400
Original-Received: by mail-oi0-f68.google.com with SMTP id h125so21819387oib.2
	for <3552@debbugs.gnu.org>; Sat, 04 Jun 2016 06:35:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; 
	h=mime-version:sender:in-reply-to:references:from:date:message-id
	:subject:to; bh=29lJpa6AF5fJINHZBrcrCndZphpqgPdQRfTAVYtDJ5w=;
	b=RxqQWlWPbIe0LHvc4bITju96yoXNnF1ZD2OOUeNDDAQfXFxYgmgTG2CzXreMiUCfZu
	NsrZ28ZHNNvsleigYOFjmo+t/l3hUS9CMsC+Oqk3Nwm1rYzYSdYauGm/ioe3gvI+AYo0
	eRknF62xmgQAIq89dT9p3NSiJNLx2IkObow2aEAiewqBEDky4nGE3eZ+VcaNCoWl6zJm
	EnlyhALbp7NK+Ad4rq0wZDnXLAtKfQfKP1bOY03C4gfg3iD1bGlUkJvMdCWtRrGhLXaC
	sT1OXjfTyAstbSzuLhXfay7yZel1wfcBArXDSLOHfHTePXdPp2vUEI/tASmeEfMfBrEI
	oKqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
	:date:message-id:subject:to;
	bh=29lJpa6AF5fJINHZBrcrCndZphpqgPdQRfTAVYtDJ5w=;
	b=Dj3XvHcJSf8kIDkeGBZK47YG4B62Ecq1hgKbWIwxTTyn53xVqk37+R793tAyVthwOx
	T8Kf0T3bf1Wifau/4/Mefz6MzrqJ2pmtchMrMzCplWqj+2OSkQGqU73O5fG94wa6CWXp
	V5xQ5rbe4rIueflI3oaxnCiuwXduYVEueVhLL07hQm//l3WDQYcYwh8TiduxyZw0Rqmg
	CC7YHobijYY7vfQMNceU5zDYV1zkXQ6CWYN5pqoymP9ktpxCHj1LzRpwZsmhDIoa4jJ3
	zEeycpss3/YE/H9E5uJBYc+I0Ty31TNH/f/3xDGVVs2Pc/EW851E/13IxMrAL/MqeS3w
	sjEw==
X-Gm-Message-State: ALyK8tJiCehommTes0VWeFEZXAwAqioRmjGQS67qUqIq+gTWe3Ws1c9BplLJ776eB8Lo6Z56HvN0YjGX+DKKZA==
X-Received: by 10.202.77.129 with SMTP id a123mr3803473oib.143.1465047302905; 
	Sat, 04 Jun 2016 06:35:02 -0700 (PDT)
Original-Received: by 10.157.5.168 with HTTP; Sat, 4 Jun 2016 06:35:02 -0700 (PDT)
In-Reply-To: <CAM-tV-_tB0etPpPg=96yDb5a-cxV+pRac7L_cWtU-4HBzuymzw@mail.gmail.com>
X-Google-Sender-Auth: luwRCSKaj3hHhmIHptlIaaR87iM
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:119051
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/119051>

# bumping severity due to crash potential
severity 3352 important
tag 3352 + patch
quit

On Thu, Jun 2, 2016 at 11:34 PM, Noam Postavsky
<npostavs@users.sourceforge.net> wrote:
> Still a problem with latest Emacs 25 pretest, and on Windows 8, Emacs
> 25.0.94 this actually crashes Emacs too.

Running under valgrind I get "invalid read of size 1" in
Fbackward_prefix_chars on GNU/Linux as well (see below). I think this
is a long standing bug that allows reading from before beginning of
the buffer. It was introduced way back in 1998, 1fd3172dd4819
"(Fbackward_prefix_chars): Set point properly while scanning."

diff --git a/src/syntax.c b/src/syntax.c
index 4ac1c8d..0235767 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -2174,12 +2174,16 @@ DEFUN ("backward-prefix-chars",
Fbackward_prefix_chars, Sbackward_prefix_chars,

   DEC_BOTH (pos, pos_byte);

-  while (pos + 1 > beg && !char_quoted (pos, pos_byte)
+  while (!char_quoted (pos, pos_byte)
      /* Previous statement updates syntax table.  */
      && ((c = FETCH_CHAR (pos_byte), SYNTAX (c) == Squote)
          || SYNTAX_PREFIX (c)))
     {
-      DEC_BOTH (pos, pos_byte);
+      opoint = pos;
+      opoint_byte = pos_byte;
+
+      if (pos + 1 > beg)
+    DEC_BOTH (pos, pos_byte);
     }

   SET_PT_BOTH (opoint, opoint_byte);


The (pos + 1 > beg) check originally followed the decrementing of pos,
but after that commit the check came before (and also doesn't end the
loop anymore). Therefore, if (pos == beg), we decrement and then try
to look at the syntax of the character at position (beg-1). This may
segfault, or trigger the "point before start of properties" error in
update_interval (eventually called from char_quoted).

I propose the following patch be applied to the emacs-25 branch:

@@ -3109,8 +3109,9 @@ DEFUN ("backward-prefix-chars",
Fbackward_prefix_chars, Sbackward_prefix_chars,
       opoint = pos;
       opoint_byte = pos_byte;

-      if (pos + 1 > beg)
-    DEC_BOTH (pos, pos_byte);
+      DEC_BOTH (pos, pos_byte);
+      if (pos < beg)
+        break;
     }

   SET_PT_BOTH (opoint, opoint_byte);


This fixes the originally reported error, and the invalid read, cf the
valgrind output mentioned above:

==2557== Invalid read of size 1
==2557==    at 0x56691D: Fbackward_prefix_chars (syntax.c:3113)
==2557==    by 0x541543: Ffuncall (eval.c:2690)
==2557==    by 0x5704D9: exec_byte_code (bytecode.c:880)
==2557==    by 0x541151: funcall_lambda (eval.c:2855)
==2557==    by 0x54167E: Ffuncall (eval.c:2742)
==2557==    by 0x5704D9: exec_byte_code (bytecode.c:880)
==2557==    by 0x541151: funcall_lambda (eval.c:2855)
==2557==    by 0x54167E: Ffuncall (eval.c:2742)
==2557==    by 0x53D941: Ffuncall_interactively (callint.c:252)
==2557==    by 0x5414E2: Ffuncall (eval.c:2673)
==2557==    by 0x53F07D: Fcall_interactively (callint.c:840)
==2557==    by 0x54157F: Ffuncall (eval.c:2700)
==2557==  Address 0x146aab9f is 1 bytes before a block of size 2,146 alloc'd
==2557==    at 0x4C2CB1D: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2557==    by 0x527F90: lrealloc (alloc.c:1427)
==2557==    by 0x529628: xrealloc (alloc.c:856)
==2557==    by 0x4F837F: enlarge_buffer_text (buffer.c:4974)
==2557==    by 0x4FB610: make_gap_larger (insdel.c:393)
==2557==    by 0x4FB6D7: make_gap (insdel.c:491)
==2557==    by 0x4FC5D7: insert_from_string_1 (insdel.c:926)
==2557==    by 0x4FD157: insert_from_string (insdel.c:872)
==2557==    by 0x535103: general_insert_function (editfns.c:2468)
==2557==    by 0x53514C: Finsert (editfns.c:2504)
==2557==    by 0x571D28: exec_byte_code (bytecode.c:1509)
==2557==    by 0x541151: funcall_lambda (eval.c:2855)