bug#47094: 27.1; emacs dies with XBM display

bug#47094: 27.1; emacs dies with XBM display

[ynyaaa]

Try to evaluate the form below, emacs dies before displaying the image.

(let* ((w 256)
       (h 256)
       (s (make-string (* (/ w 8) h) #x55)))
  (insert-image (create-image s 'xbm t :width w :height h)))


In GNU Emacs 27.1 (build 1, x86_64-w64-mingw32)
 of 2020-08-22 built on CIRROCUMULUS
Repository revision: 86d8d76aa36037184db0b2897c434cdaab1a9ae8
Repository branch: HEAD
Windowing system distributor 'Microsoft Corp.', version 10.0.18363
System Description: Microsoft Windows 10 Pro (v10.0.1909.18363.1379)

Recent messages:

Configured using:
 'configure --without-dbus --host=x86_64-w64-mingw32
 --without-compress-install 'CFLAGS=-O2 -static''

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND NOTIFY W32NOTIFY ACL GNUTLS LIBXML2
HARFBUZZ ZLIB TOOLKIT_SCROLL_BARS MODULES THREADS JSON PDUMPER LCMS2 GMP

Important settings:
  value of $LANG: JPN
  locale-coding-system: cp932

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(gnutls network-stream nsm mailalias smtpmail auth-source cl-seq eieio
eieio-core cl-macs eieio-loaddefs json map jka-compr help-fns radix-tree
cl-print debug backtrace find-func ispell misearch multi-isearch mailcap
help-mode pp shadow sort mail-extr emacsbug message rmc puny dired
dired-loaddefs format-spec rfc822 mml easymenu mml-sec password-cache
epa derived epg epg-config gnus-util rmail rmail-loaddefs
text-property-search time-date subr-x seq byte-opt gv bytecomp
byte-compile cconv mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils term/bobcat japan-util
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel dos-w32 ls-lisp disp-table term/w32-win w32-win w32-vars
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list replace newcomment text-mode elisp-mode lisp-mode
prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice loaddefs
button faces cus-face macroexp files text-properties overlay sha1 md5
base64 format env code-pages mule custom widget hashtable-print-readable
backquote threads w32notify w32 lcms2 multi-tty make-network-process
emacs)

Memory information:
((conses 16 73868 15520)
 (symbols 48 8874 1)
 (strings 32 24577 1463)
 (string-bytes 1 816558)
 (vectors 16 14181)
 (vector-slots 8 274897 18438)
 (floats 8 29 282)
 (intervals 56 1670 259)
 (buffers 1000 18))

bug#47094: 27.1; emacs dies with XBM display

[Eli Zaretskii]

> From: ynyaaa@gmail.com
> Date: Fri, 12 Mar 2021 19:19:32 +0900
> 
> Try to evaluate the form below, emacs dies before displaying the image.
> 
> (let* ((w 256)
>        (h 256)
>        (s (make-string (* (/ w 8) h) #x55)))
>   (insert-image (create-image s 'xbm t :width w :height h)))

I can reproduce in Emacs 27, but not on the current master branch.  So
I guess this has been fixed already, and I'm closing the bug.

bug#47094: 27.1; emacs dies with XBM display

[Alan Third]

On Fri, Mar 12, 2021 at 02:42:36PM +0200, Eli Zaretskii wrote:
> > From: ynyaaa@gmail.com
> > Date: Fri, 12 Mar 2021 19:19:32 +0900
> > 
> > Try to evaluate the form below, emacs dies before displaying the image.
> > 
> > (let* ((w 256)
> >        (h 256)
> >        (s (make-string (* (/ w 8) h) #x55)))
> >   (insert-image (create-image s 'xbm t :width w :height h)))
> 
> I can reproduce in Emacs 27, but not on the current master branch.  So
> I guess this has been fixed already, and I'm closing the bug.

I can reproduce on the master branch. It looks like a stack overflow
in xbm_read_bitmap_data.

I tried it in a debugger, but the backtrace looks truncated.
-- 
Alan Third

bug#47094: 27.1; emacs dies with XBM display

[Eli Zaretskii]

> Date: Fri, 12 Mar 2021 22:08:10 +0000
> From: Alan Third <alan@idiocy.org>
> 
> > > (let* ((w 256)
> > >        (h 256)
> > >        (s (make-string (* (/ w 8) h) #x55)))
> > >   (insert-image (create-image s 'xbm t :width w :height h)))
> > 
> > I can reproduce in Emacs 27, but not on the current master branch.  So
> > I guess this has been fixed already, and I'm closing the bug.
> 
> I can reproduce on the master branch. It looks like a stack overflow
> in xbm_read_bitmap_data.

I did indeed get an infinite recursion on the emacs-27 branch, but not
on master.

> I tried it in a debugger, but the backtrace looks truncated.

Before or after SIGSEGV?  If it's after, then it isn't surprising you
get a truncated backtrace.

I think if you see the infinite recursion we should understand why it
happens in the first place, and try to prevent it.

bug#47094: 27.1; emacs dies with XBM display

[Alan Third]

On Sat, Mar 13, 2021 at 09:19:17AM +0200, Eli Zaretskii wrote:
> > Date: Fri, 12 Mar 2021 22:08:10 +0000
> > From: Alan Third <alan@idiocy.org>
> > 
> > > > (let* ((w 256)
> > > >        (h 256)
> > > >        (s (make-string (* (/ w 8) h) #x55)))
> > > >   (insert-image (create-image s 'xbm t :width w :height h)))
> > > 
> > > I can reproduce in Emacs 27, but not on the current master branch.  So
> > > I guess this has been fixed already, and I'm closing the bug.
> > 
> > I can reproduce on the master branch. It looks like a stack overflow
> > in xbm_read_bitmap_data.
> 
> I did indeed get an infinite recursion on the emacs-27 branch, but not
> on master.
> 
> > I tried it in a debugger, but the backtrace looks truncated.
> 
> Before or after SIGSEGV?  If it's after, then it isn't surprising you
> get a truncated backtrace.
> 
> I think if you see the infinite recursion we should understand why it
> happens in the first place, and try to prevent it.

It turns out it was a buffer overflow in xbm_scan that was clobbering
the stack. I've pushed a fix to the master branch.

-- 
Alan Third

bug#47094: 27.1; emacs dies with XBM display

[Eli Zaretskii]

> Date: Sat, 13 Mar 2021 22:07:14 +0000
> From: Alan Third <alan@idiocy.org>
> Cc: ynyaaa@gmail.com, 47094@debbugs.gnu.org
> 
> It turns out it was a buffer overflow in xbm_scan that was clobbering
> the stack. I've pushed a fix to the master branch.

Thanks, I've cherry-picked that to the emacs-27 branch.