From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Daniel =?UTF-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Date: Sat, 09 Oct 2021 02:30:33 +0200 Message-ID: References: Reply-To: Daniel =?UTF-8?Q?Mart=C3=ADn?= Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="35767"; mail-complaints-to="usenet@ciao.gmane.io" To: 51105@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 09 02:31:25 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mZ0Gq-000942-6I for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 09 Oct 2021 02:31:24 +0200 Original-Received: from localhost ([::1]:55758 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZ0Gp-0006oG-56 for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 08 Oct 2021 20:31:23 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:49048) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZ0GU-0006ne-Db for bug-gnu-emacs@gnu.org; Fri, 08 Oct 2021 20:31:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:40567) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZ0GU-0008K9-6K for bug-gnu-emacs@gnu.org; Fri, 08 Oct 2021 20:31:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mZ0GU-00016A-32 for bug-gnu-emacs@gnu.org; Fri, 08 Oct 2021 20:31:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 00:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 51105 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.16337394483493 (code B ref -1); Sat, 09 Oct 2021 00:31:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 9 Oct 2021 00:30:48 +0000 Original-Received: from localhost ([127.0.0.1]:52113 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ0GF-0000tb-BC for submit@debbugs.gnu.org; Fri, 08 Oct 2021 20:30:48 -0400 Original-Received: from lists.gnu.org ([209.51.188.17]:59112) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ0GD-0000rx-S9 for submit@debbugs.gnu.org; Fri, 08 Oct 2021 20:30:46 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48880) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZ0GD-0006jl-H4 for bug-gnu-emacs@gnu.org; Fri, 08 Oct 2021 20:30:45 -0400 Original-Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:41566) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZ0GA-0007c1-74 for bug-gnu-emacs@gnu.org; Fri, 08 Oct 2021 20:30:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048; t=1633739437; bh=X8j5aMGFBhQVPOjLwAMS5ZiI0YLjq39S5ygV/095g6Y=; h=From:To:Subject:Date:References:From:Subject:Reply-To; b=SHNOY4ZsnRG1SAGNZ0v/q7XSZ82FjjxllI2YeQNnJwfHF6AVFcb3DrHxJ+W/SFdTnHjDHUuUYAjNwSOwu/yyeUwPwQlSO4onMaptV/28HkV8Fyx18oO3SMAg2fXymoL/QvNBevh1ftBZ0j5Roj3G8hBqq1k9eW5F/FxvZAS+yYWkcwGT606EMJT/hJM9RD1mpvVr1N6immYCC/XNQi4K7+cETDp9cd+G5c/YkJFZlee6B3p3O7hr/qBEAgCGFSQ6rn/RJ8npr0qdwJBK10RPfm/jtSGHKsbLDQyM4CY/LcDewnRR2/gO4gJqhatQMYq7Vhjy4vdfgC4BrBrvt9Wl/g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1633739437; bh=sVVVp+bTRFlWWJkVsNqTEksKK4uZJ/KRkq/yw/CcBM0=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=QLpBpvzt3uEIy7NAFAUJZ2K9SsKRdU4FmUDYOLadQkUEI4dTmBP0AyUvkgC7+NGYsyFai6KFLthzqg19E68bj1wDWNMCvFGO946ijPmnUBx7h1d3hlVgT8Q1QgMihdvyLCVoLQHvgfUrcwwOOz7bdnitc0Vv5dJpjuLVt6ai0Gf2//cVJp4yKhPKcAlh8Q5rb2xWNOCy24/CSvw4J+kHUEfMtySSqIbtc/9eMtOSw4lw1lD4GE+ZaxQG1Cq2vNMkt5KEKT6BdA9bDFStKGoPd92Edk7LKrMV7vDdAZW3nf1c0CHYZgDyzqOlHB3G12gigsjF1RjhrlUkkOlpn3oECw== X-YMail-OSG: 72LaS34VM1lBp1qfSO7RL9iXboJopdcDKztEhewAT5Z0TOoy_4luFZyYZvrcyGJ aAoLnjHk8ZWvbHT45Cf6n5WKOGyHUGG4aPox5mQz9lFZZimNQoIOJUgGCqFNOsATUFwlQlUHh3Uv jRMhkDRUxvr2_j4D2be8k9j2W4sACBxtr6J3lwCxFSzaTz763hZYjyoVDpc5qPsTTBSuk5iFcTy1 92kxBgyf2dknBsV8pAmij1xLBkQLh11o1FP3rbfpYBmot4M2HRqCMDoOeTjz850OwSr.ewcpFYNc ZU_dshY0W91BmohWn6tyeapXVIzzGWR8R79WxHMohQa7LwAyfGpO1d.mLp1AtJ2nSCUwzqQiJk7M Nw27_kCR2K0jO48Mm996gcf3wWdnpHjZNzgNkKYFOC9VAs7FEjh5w7rhZRnW7EvE5sLBF3GKxwqo 1TcfxLhc2yNRHeeFsrN3_1tZf4CXC.i0E7NBjBwQrd.Dbzzv5bqp46ZB.9x28Ig_P7wGLyyopids cucOa0faOjp2lv5ahAm8uKnDGDCLk3XoOCHGaH7oRgX4P8KjbnTU9YnDj_PJ0pVmAq0xk8HfNwCm JTPy4_wCSJivuapXtvVrkpoq05UWztAqC0SX3Q0EqKHW7ZsRn_RHNGTdNSR9jGlUrN5Jiq96B6Ta CVE_BC.J0pKCi6iCKeb26NWVLRthJJDMUeC46oGc48VZj5BIRZL.5oRK_H0jfCOpBTBmjMWNW1eF KYlsnQSfnozxtgtNyQ4F4839iS4_MRI0syI2h15keieSI.nnKZfysOXPQva4U4lWKncDXGu2H.iT Opb6Eauy3wIE36_KLDcUn0ZrC7r2TprslBQ8gXPz66 X-Sonic-MF: Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 00:30:37 +0000 Original-Received: by kubenode521.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 48833493ecb42c401f6e9699cd612d11; Sat, 09 Oct 2021 00:30:34 +0000 (UTC) X-Mailer: WebService/1.1.19116 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=77.238.179.188; envelope-from=mardani29@yahoo.es; helo=sonic313-21.consmr.mail.ir2.yahoo.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:216740 Archived-At: There is a buffer overflow bug in the function ns_compute_glyph_string_overhangs with some particular information received from the display engine. (I haven't reduced the test case yet so you may not reproduce the issue with the following recipe.) emacs -Q Attach a debugger to the Emacs process and add the following conditional breakpoint: br set -f nsterm.m -l 2853 -c 's->nchars==0' Continue running Emacs M-x eww RET wikipedia.org RET The debugger will stop with the following backtrace: * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 * frame #0: 0x000000010e25a20e emacs`ns_compute_glyph_string_overhangs(s=0x00007ffee232ef40) at nsterm.m:2853:7 frame #1: 0x000000010da4cbdf emacs`draw_glyphs(w=0x00006210000ac130, x=66, row=0x000062b00029ae00, area=TEXT_AREA, start=0, end=12, hl=DRAW_NORMAL_TEXT, overlaps=0) at xdisp.c:29036:4 frame #2: 0x000000010da49bd0 emacs`gui_write_glyphs(w=0x00006210000ac130, updated_row=0x000062b00029ae00, start=0x0000629001be4200, updated_area=TEXT_AREA, len=12) at xdisp.c:31179:7 frame #3: 0x000000010d90bc4d emacs`update_text_area(w=0x00006210000ac130, updated_row=0x000062b00029ae00, vpos=28) at dispnew.c:3934:2 frame #4: 0x000000010d902191 emacs`update_window_line(w=0x00006210000ac130, vpos=28, mouse_face_overwritten_p=0x00007ffee2331720) at dispnew.c:4177:11 frame #5: 0x000000010d8d84f7 emacs`update_window(w=0x00006210000ac130, force_p=true) at dispnew.c:3680:19 frame #6: 0x000000010d8d9bbc emacs`update_window_tree(w=0x00006210000ac130, force_p=true) at dispnew.c:3405:14 frame #7: 0x000000010d8d67e6 emacs`update_frame(f=0x00006210000ad530, force_p=true, inhibit_hairy_id_p=false) at dispnew.c:3240:18 frame #8: 0x000000010d9db568 emacs`redisplay_internal at xdisp.c:16160:16 frame #9: 0x000000010d9eb0a9 emacs`redisplay_preserve_echo_area(from_where=12) at xdisp.c:16429:7 frame #10: 0x000000010e0cb8e1 emacs`wait_reading_process_output(time_limit=0, nsecs=0, read_kbd=-1, do_display=true, wait_for_cell=0x0000000000000000, wait_proc=0x0000000000000000, just_wait_proc=0) at process.c:5789:7 frame #11: 0x000000010dd99c82 emacs`kbd_buffer_get_event(kbp=0x00007ffee23371c0, used_mouse_menu=0x00007ffee23386c0, end_time=0x0000000000000000) at keyboard.c:3924:4 frame #12: 0x000000010dd9825e emacs`read_event_from_main_queue(end_time=0x0000000000000000, local_getcjmp=0x00007ffee2338300, used_mouse_menu=0x00007ffee23386c0) at keyboard.c:2198:7 frame #13: 0x000000010dd6a19a emacs`read_decoded_event_from_main_queue(end_time=0x0000000000000000, local_getcjmp=0x00007ffee2338300, prev_event=0x0000000000000000, used_mouse_menu=0x00007ffee23386c0) at keyboard.c:2262:11 frame #14: 0x000000010dd632c8 emacs`read_char(commandflag=1, map=0x00006290003eb8a3, prev_event=0x0000000000000000, used_mouse_menu=0x00007ffee23386c0, end_time=0x0000000000000000) at keyboard.c:2892:11 frame #15: 0x000000010dd58e1d emacs`read_key_sequence(keybuf=0x00007ffee23393a0, prompt=0x0000000000000000, dont_downcase_last=false, can_return_switch_frame=true, fix_current_buffer=true, prevent_redisplay=false) at keyboard.c:9619:12 frame #16: 0x000000010dd539f3 emacs`command_loop_1 at keyboard.c:1392:15 frame #17: 0x000000010dfa45d9 emacs`internal_condition_case(bfun=(emacs`command_loop_1 at keyboard.c:1278), handlers=0x0000000000000090, hfun=(emacs`cmd_error at keyboard.c:936)) at eval.c:1453:25 frame #18: 0x000000010dd52903 emacs`command_loop_2(handlers=0x0000000000000090) at keyboard.c:1133:11 frame #19: 0x000000010dfa2ff9 emacs`internal_catch(tag=0x000000000000df80, func=(emacs`command_loop_2 at keyboard.c:1129), arg=0x0000000000000090) at eval.c:1184:25 frame #20: 0x000000010dd50f81 emacs`command_loop at keyboard.c:1111:2 frame #21: 0x000000010dd50c9b emacs`recursive_edit_1 at keyboard.c:720:9 frame #22: 0x000000010dd5147a emacs`Frecursive_edit at keyboard.c:803:3 frame #23: 0x000000010dd4a05a emacs`main(argc=2, argv=0x00007ffee233a310) at emacs.c:2310:3 frame #24: 0x00007fff20496f3d libdyld.dylib`start + 1 This line in nsterm.m will be executed and is problematic: codes[1] = *(s->char2b + s->nchars - 1); When s->nchars is 0, the code will reference one position before s->char2b. I have two questions: 1) Is there any reason the function chooses the first and last glyphs instead of passing the whole glyph string and rely on text_extents to perfom boundary checks? That is, I propose: diff --git a/src/nsterm.m b/src/nsterm.m index a6c2e7505b..207da60481 100644 --- a/src/nsterm.m +++ b/src/nsterm.m @@ -2853,11 +2853,7 @@ Hide the window (X11 semantics) if (s->char2b) { struct font_metrics metrics; - unsigned int codes[2]; - codes[0] = *(s->char2b); - codes[1] = *(s->char2b + s->nchars - 1); - - font->driver->text_extents (font, codes, 2, &metrics); + font->driver->text_extents (font, s->char2b, s->nchars, &metrics); s->left_overhang = -metrics.lbearing; s->right_overhang = metrics.rbearing > metrics.width This way to call the text_extents API is also implemented in w32term.c and xterm.c. 2) The root cause of the issue may be that s->nchars is 0 when it shouldn't. Is there any legitimate scenario where the display engine may call this routine with s->nchars equal to 0? If so, what are those situations? In GNU Emacs 29.0.50 (build 1, x86_64-apple-darwin20.6.0, NS appkit-2022.60 Version 11.6 (Build 20G165)) of 2021-10-09 built on Daniels-MacBook-Pro.local Repository revision: 36d7c4af7c83c4f3ea9ab9fdd0822b986564d78e Repository branch: master Windowing system distributor 'Apple', version 10.3.2022 System Description: macOS 11.6 Configured using: 'configure 'CFLAGS=-O0 -g3'' Configured features: ACL DBUS GIF GLIB GMP GNUTLS JPEG JSON LCMS2 LIBXML2 MODULES NOTIFY KQUEUE NS PDUMPER PNG RSVG THREADS TIFF TOOLKIT_SCROLL_BARS XIM ZLIB Important settings: value of $LANG: en_US.UTF-8 locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: tooltip-mode: t global-eldoc-mode: t eldoc-mode: t show-paren-mode: t electric-indent-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t indent-tabs-mode: t transient-mark-mode: t Load-path shadows: None found. Features: (shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs rfc822 mml mml-sec epa derived epg rfc6068 epg-config gnus-util rmail rmail-loaddefs auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs password-cache json map text-property-search time-date seq gv subr-x byte-opt bytecomp byte-compile cconv mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils iso-transl tooltip eldoc paren electric uniquify ediff-hook vc-hooks lisp-float-type elisp-mode mwheel term/ns-win ns-win ucs-normalize mule-util term/common-win tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch easymenu timer select scroll-bar mouse jit-lock font-lock syntax font-core term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite emoji-zwj charscript charprop case-table epa-hook jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice button loaddefs faces cus-face macroexp files window text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote threads dbusbind kqueue cocoa ns lcms2 multi-tty make-network-process emacs) Memory information: ((conses 16 49678 8809) (symbols 48 6572 1) (strings 32 17870 1691) (string-bytes 1 591830) (vectors 16 12905) (vector-slots 8 177066 9811) (floats 8 21 51) (intervals 56 191 0) (buffers 992 10))