bug#20156: Emacs 24 stack corruption in fontset.c:fontset_pattern

unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed

* bug#20156: Emacs 24 stack corruption in fontset.c:fontset_pattern_regexp
@ 2015-03-21 12:06 John F Carr
  2015-03-22  9:23 ` Jan D.
  0 siblings, 1 reply; 2+ messages in thread
From: John F Carr @ 2015-03-21 12:06 UTC (permalink / raw)
  To: 20156

[-- Attachment #1: Type: text/plain, Size: 602 bytes --]

Emacs crashes on Mac Yosemite (native window system) when I use set-frame-font with certain font patterns.  The cause is writing past the end of an alloca buffer in fontset.c:fontset_pattern_regexp.  This triggers a stack check assertion.  Alloca is used to allocate space for a regexp, but the size neglects to consider the ^$ around the regexp.  “+1” should be “+3”.

To reproduce:

(set-frame-font "-adobe-courier-medium-r-normal--24-*-75-75-m-150-iso8859-1”)

without X installed.

Bug in 24.3 and "GNU Emacs 24.4.2 (x86_64-apple-darwin14.1.0, NS apple-appkit-1344.72)”.




[-- Attachment #2: fontset.diff --]
[-- Type: application/octet-stream, Size: 618 bytes --]

--- fontset.c.orig	2014-08-09 16:41:01.000000000 -0400
+++ fontset.c	2015-03-21 07:55:48.000000000 -0400
@@ -1097,9 +1097,9 @@
 	 we convert "*" to "[^-]*" which is much faster in regular
 	 expression matching.  */
       if (ndashes < 14)
-	p1 = regex = alloca (SBYTES (pattern) + 2 * nstars + 2 * nescs + 1);
+	p1 = regex = alloca (SBYTES (pattern) + 2 * nstars + 2 * nescs + 3);
       else
-	p1 = regex = alloca (SBYTES (pattern) + 5 * nstars + 2 * nescs + 1);
+	p1 = regex = alloca (SBYTES (pattern) + 5 * nstars + 2 * nescs + 3);
 
       *p1++ = '^';
       for (p0 = SDATA (pattern); *p0; p0++)

^ permalink raw reply	[flat|nested] 2+ messages in thread

* bug#20156: Emacs 24 stack corruption in fontset.c:fontset_pattern_regexp
  2015-03-21 12:06 bug#20156: Emacs 24 stack corruption in fontset.c:fontset_pattern_regexp John F Carr
@ 2015-03-22  9:23 ` Jan D.
  0 siblings, 0 replies; 2+ messages in thread
From: Jan D. @ 2015-03-22  9:23 UTC (permalink / raw)
  To: John F Carr; +Cc: 20156-done

Good call.  Fixed in trunk and emacs-24 branch.

	Jan D.

> 21 mar 2015 kl. 13:06 skrev John F Carr <jfc@mit.edu>:
> 
> Emacs crashes on Mac Yosemite (native window system) when I use set-frame-font with certain font patterns.  The cause is writing past the end of an alloca buffer in fontset.c:fontset_pattern_regexp.  This triggers a stack check assertion.  Alloca is used to allocate space for a regexp, but the size neglects to consider the ^$ around the regexp.  “+1” should be “+3”.
> 
> To reproduce:
> 
> (set-frame-font "-adobe-courier-medium-r-normal--24-*-75-75-m-150-iso8859-1”)
> 
> without X installed.
> 
> Bug in 24.3 and "GNU Emacs 24.4.2 (x86_64-apple-darwin14.1.0, NS apple-appkit-1344.72)”.
> 
> 
> 
> <fontset.diff>






^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-03-22  9:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-21 12:06 bug#20156: Emacs 24 stack corruption in fontset.c:fontset_pattern_regexp John F Carr
2015-03-22  9:23 ` Jan D.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).