From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Daniel =?UTF-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Date: Sat, 09 Oct 2021 12:06:36 +0200 Message-ID: References: <83bl3yya46.fsf@gnu.org> Reply-To: Daniel =?UTF-8?Q?Mart=C3=ADn?= Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="33032"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin) Cc: 51105@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 09 12:07:12 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mZ9G3-0008SL-NE for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 09 Oct 2021 12:07:12 +0200 Original-Received: from localhost ([::1]:33938 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZ9G2-0001Px-8q for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 09 Oct 2021 06:07:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60068) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZ9Fu-0001Pn-AD for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 06:07:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:40771) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZ9Fu-0006NK-2F for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 06:07:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mZ9Ft-00040l-S4 for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 06:07:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 10:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs Original-Received: via spool by 51105-submit@debbugs.gnu.org id=B51105.163377401115400 (code B ref 51105); Sat, 09 Oct 2021 10:07:01 +0000 Original-Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 10:06:51 +0000 Original-Received: from localhost ([127.0.0.1]:52317 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ9Fi-00040K-QX for submit@debbugs.gnu.org; Sat, 09 Oct 2021 06:06:51 -0400 Original-Received: from sonic309-24.consmr.mail.ir2.yahoo.com ([77.238.179.82]:39985) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ9Fg-000405-Uf for 51105@debbugs.gnu.org; Sat, 09 Oct 2021 06:06:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048; t=1633774003; bh=Xfczk1Qe2Isq7VtF8oiJ2E5hS6/BIcQ37H8NvspKWk4=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To; b=gPsigan+Q5XpKAPsSTODFTu/2704OQKYb7m0+7txhP7c+ZOkShoXDAqac5W7eLOGd3Rn7dLw4aLPzVQkTjleoOdFtnYIZGgyiOjRzXCOSYaBViDJ0xoK4ZEtBHcueVgjus4h8glcDWCU6x6a4BPYwHg2OKIpHJ3sN3NavL2Aysbc210mj69zu6a6aOTptrOWjAda+lq6tMaJ9j07AGYcMDjuhzfbxx852/D+peVwuf2U838736JJeJB08oU+YyZbkXh8Gu2re1zuniDBEgBjh2b5Q29Nl8Jkk3gioxprC8XiRJRmYIZmoRYs+SHvJh22g8DYTgEhBwuC+MqJk11vIw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1633774003; bh=LznyBxAZlL8+tX2jx3OzcwV7jbtV4kK3nlcPTWXilGL=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=jiEjTrfHt931MTCVZd0mD5kIWovM8Dj3f0kvCFS43ras8seXFYWIV4N/vp6ITF/0kZ5j04DEwklk9F9lsK6mUKWQFHWI51UyI0hh/d0CshTJbS/Y/eG8ptfEjObBBIb7qH9TnQOcgEZ2I+AjOLEft42nBWc9H2BnuAQywfsFTZwDbxanxWXsv+t9GIMB4jy+zgJWD2qnoI6HH+vd5Qpi9/MvgJcyoVXCTH1SM/WGky34XYMp7tbmtevlsysK0yfo5a/6j1ZiQyj3cB+EtCZbsbgCQAEgMAW8ZRqfQ/dVAzpZgs6Qb73d/sKwN/wdaf+iY8L2AJnn5vV0UdEp0Bm+cw== X-YMail-OSG: CqWzhnwVM1la.wQMDffG8JoTnWKTTdvY_6iT7qKyrvAmHB1jiBraHuuwMlp3BA7 pj6S_tshs_PMKLzLFCcCUrjCQozcFyxg.1MoIIGSS8Ahx8MkNZSqO56f7.EHN3QRVyDDw1Ty473y NzL903pdt0dnvElrrYtFx3.rhgNYIzEaVTdIdGdL49wiLem9PMjwOFSnbkBZeVtHfF90CAXI6Ulh K6ATTCt7j70ojtctCSKh0wz3IONqVmk48JdRsxv0uexa3a2tB1wUYWWEd9BSDDT1dvYN8dWnMl7W .fQW4thg_5g76C9zJd6_aIRKBH3OoUy8xGde084Ha7CKMMkbv2XfNpBh6clF8L2X4X.tNRRuL5Gn inkZmjoO0Ns1pdVLc9HvFrSMrrAawor4LwwSIeGiIN.mNtmoqgPBUCYvE5Dr6LEc_40sArYamTvp IuiJQkvlOkaL6sYbqNKpCBnIxBWuqmmC2SF5j.1LWSJVMduueSUSTUBWfGSHds2zkltnPyH.6OOy VGBRuzlLJDDIkRuU.4LvUb3vd8F51YFyPOcgHWF2KxqEiAqHQxz0HXgm8oMq4G4HsRzLfhlMeQP5 xU1Skhi1CG8xYkNQwwaTEIiVILJQZwKnVFgQ_1_TCB6wOho6UKk_3YR3IMWwoFcFN3x_YREDxDgp xTdL4SxkKmUxgGwdSntw84BBDZe8KZWYlfBAztn8Yp6Y9qtjP7ZqQ8dkXmCp3hF97lDrDEkUOs6Z paXpdKPNC4EchJ_M2jIjO9rJhzWXEsDkPtTDhgTnQf3SPJ3iWKMtNXQeEU2gj6lZ00XFXmR2.b9O EX04SA2wGmz7peg2Gx_g27FKK2lQjNFs_eCA5EYYtR X-Sonic-MF: Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 10:06:43 +0000 Original-Received: by kubenode527.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 4c2a9959af849393f228a3b0fdd67703; Sat, 09 Oct 2021 10:06:37 +0000 (UTC) In-Reply-To: <83bl3yya46.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 09 Oct 2021 09:40:09 +0300") X-Mailer: WebService/1.1.19116 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:216753 Archived-At: Eli Zaretskii writes: >> Date: Sat, 09 Oct 2021 02:30:33 +0200 >> From: Daniel Mart=C3=ADn via "Bug reports for GNU Emacs, >> the Swiss army knife of text editors" >>=20 >> 2) The root cause of the issue may be that s->nchars is 0 when it >> shouldn't. Is there any legitimate scenario where the display engine >> may call this routine with s->nchars equal to 0? If so, what are those >> situations? > > I think if the glyph string has composition glyphs, nchars can be > zero. What is the value of s->first_glyph->type in the case where it > happens? Yep, it seems so: (lldb) fr v s->first_glyph->type (unsigned int:3) s->first_glyph->type =3D 1 I've found a 2006 commit that seemed to handle this particular pointer arithmetic logic for when the type of the first glyph is STRETCH_GLYPH: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3D825de9a1027073beae= c38ab1572e9d954f8a1eb0 Now I think that the right thing to do may be to modify nsterm.m, switch on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call composition_gstring_width to get the glyph metrics. Function composition_gstring_width uses the values from fields s->cmp_from and s->cmp_to, and would avoid the buffer overflow: (lldb) fr v s->cmp_from (int) s->cmp_from =3D 6 (lldb) fr v s->cmp_to (int) s->cmp_to =3D 7 WDYT? I can prepare a patch of this type if you agree. I'll try to get the sequence of codepoints from the glyph string in the debugger, so we can have a reduced test case (ie. the exact string from the Wikipedia's front page that causes the issue).