* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
@ 2009-06-13 10:40 Johan =?UTF-8?Q?Bockg=C3=A5rd
2016-06-03 3:34 ` Noam Postavsky
0 siblings, 1 reply; 11+ messages in thread
From: Johan =?UTF-8?Q?Bockg=C3=A5rd @ 2009-06-13 10:40 UTC (permalink / raw)
To: emacs-pretest-bug
emacs -Q /tmp/empty.pl
@x
C-M-b
=> error "Point before start of properties"
The syntax of "@" in perl-mode is `. p' (punctuation/prefix char).
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2009-06-13 10:40 bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties Johan =?UTF-8?Q?Bockg=C3=A5rd
@ 2016-06-03 3:34 ` Noam Postavsky
2016-06-04 13:35 ` Noam Postavsky
0 siblings, 1 reply; 11+ messages in thread
From: Noam Postavsky @ 2016-06-03 3:34 UTC (permalink / raw)
To: 3552
found 3552 24.5
found 3552 25.0.94
tag 3552 + confirmed
quit
Still a problem with latest Emacs 25 pretest, and on Windows 8, Emacs
25.0.94 this actually crashes Emacs too.
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-03 3:34 ` Noam Postavsky
@ 2016-06-04 13:35 ` Noam Postavsky
2016-06-04 15:22 ` Noam Postavsky
0 siblings, 1 reply; 11+ messages in thread
From: Noam Postavsky @ 2016-06-04 13:35 UTC (permalink / raw)
To: 3552
# bumping severity due to crash potential
severity 3352 important
tag 3352 + patch
quit
On Thu, Jun 2, 2016 at 11:34 PM, Noam Postavsky
<npostavs@users.sourceforge.net> wrote:
> Still a problem with latest Emacs 25 pretest, and on Windows 8, Emacs
> 25.0.94 this actually crashes Emacs too.
Running under valgrind I get "invalid read of size 1" in
Fbackward_prefix_chars on GNU/Linux as well (see below). I think this
is a long standing bug that allows reading from before beginning of
the buffer. It was introduced way back in 1998, 1fd3172dd4819
"(Fbackward_prefix_chars): Set point properly while scanning."
diff --git a/src/syntax.c b/src/syntax.c
index 4ac1c8d..0235767 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -2174,12 +2174,16 @@ DEFUN ("backward-prefix-chars",
Fbackward_prefix_chars, Sbackward_prefix_chars,
DEC_BOTH (pos, pos_byte);
- while (pos + 1 > beg && !char_quoted (pos, pos_byte)
+ while (!char_quoted (pos, pos_byte)
/* Previous statement updates syntax table. */
&& ((c = FETCH_CHAR (pos_byte), SYNTAX (c) == Squote)
|| SYNTAX_PREFIX (c)))
{
- DEC_BOTH (pos, pos_byte);
+ opoint = pos;
+ opoint_byte = pos_byte;
+
+ if (pos + 1 > beg)
+ DEC_BOTH (pos, pos_byte);
}
SET_PT_BOTH (opoint, opoint_byte);
The (pos + 1 > beg) check originally followed the decrementing of pos,
but after that commit the check came before (and also doesn't end the
loop anymore). Therefore, if (pos == beg), we decrement and then try
to look at the syntax of the character at position (beg-1). This may
segfault, or trigger the "point before start of properties" error in
update_interval (eventually called from char_quoted).
I propose the following patch be applied to the emacs-25 branch:
@@ -3109,8 +3109,9 @@ DEFUN ("backward-prefix-chars",
Fbackward_prefix_chars, Sbackward_prefix_chars,
opoint = pos;
opoint_byte = pos_byte;
- if (pos + 1 > beg)
- DEC_BOTH (pos, pos_byte);
+ DEC_BOTH (pos, pos_byte);
+ if (pos < beg)
+ break;
}
SET_PT_BOTH (opoint, opoint_byte);
This fixes the originally reported error, and the invalid read, cf the
valgrind output mentioned above:
==2557== Invalid read of size 1
==2557== at 0x56691D: Fbackward_prefix_chars (syntax.c:3113)
==2557== by 0x541543: Ffuncall (eval.c:2690)
==2557== by 0x5704D9: exec_byte_code (bytecode.c:880)
==2557== by 0x541151: funcall_lambda (eval.c:2855)
==2557== by 0x54167E: Ffuncall (eval.c:2742)
==2557== by 0x5704D9: exec_byte_code (bytecode.c:880)
==2557== by 0x541151: funcall_lambda (eval.c:2855)
==2557== by 0x54167E: Ffuncall (eval.c:2742)
==2557== by 0x53D941: Ffuncall_interactively (callint.c:252)
==2557== by 0x5414E2: Ffuncall (eval.c:2673)
==2557== by 0x53F07D: Fcall_interactively (callint.c:840)
==2557== by 0x54157F: Ffuncall (eval.c:2700)
==2557== Address 0x146aab9f is 1 bytes before a block of size 2,146 alloc'd
==2557== at 0x4C2CB1D: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2557== by 0x527F90: lrealloc (alloc.c:1427)
==2557== by 0x529628: xrealloc (alloc.c:856)
==2557== by 0x4F837F: enlarge_buffer_text (buffer.c:4974)
==2557== by 0x4FB610: make_gap_larger (insdel.c:393)
==2557== by 0x4FB6D7: make_gap (insdel.c:491)
==2557== by 0x4FC5D7: insert_from_string_1 (insdel.c:926)
==2557== by 0x4FD157: insert_from_string (insdel.c:872)
==2557== by 0x535103: general_insert_function (editfns.c:2468)
==2557== by 0x53514C: Finsert (editfns.c:2504)
==2557== by 0x571D28: exec_byte_code (bytecode.c:1509)
==2557== by 0x541151: funcall_lambda (eval.c:2855)
^ permalink raw reply related [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-04 13:35 ` Noam Postavsky
@ 2016-06-04 15:22 ` Noam Postavsky
2016-06-04 17:55 ` Eli Zaretskii
0 siblings, 1 reply; 11+ messages in thread
From: Noam Postavsky @ 2016-06-04 15:22 UTC (permalink / raw)
To: 3552
On Sat, Jun 4, 2016 at 9:35 AM, Noam Postavsky
<npostavs@users.sourceforge.net> wrote:
> I propose the following patch be applied to the emacs-25 branch:
Sorry, that's not quite right, I didn't realize DEC_BOTH also reads
from the buffer, here is a patch that actually fixes the invalid read:
@@ -3109,8 +3109,10 @@ DEFUN ("backward-prefix-chars",
Fbackward_prefix_chars, Sbackward_prefix_chars,
opoint = pos;
opoint_byte = pos_byte;
- if (pos + 1 > beg)
+ if (pos > beg)
DEC_BOTH (pos, pos_byte);
+ else
+ break;
}
SET_PT_BOTH (opoint, opoint_byte);
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-04 15:22 ` Noam Postavsky
@ 2016-06-04 17:55 ` Eli Zaretskii
2016-06-04 21:25 ` Noam Postavsky
0 siblings, 1 reply; 11+ messages in thread
From: Eli Zaretskii @ 2016-06-04 17:55 UTC (permalink / raw)
To: Noam Postavsky; +Cc: 3552
> From: Noam Postavsky <npostavs@users.sourceforge.net>
> Date: Sat, 4 Jun 2016 11:22:23 -0400
>
> - if (pos + 1 > beg)
> + if (pos > beg)
> DEC_BOTH (pos, pos_byte);
> + else
> + break;
I would use
if (pos <= beg)
break;
DEC_BOTH (pos, pos_byte);
But I don't insist.
Thanks.
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-04 17:55 ` Eli Zaretskii
@ 2016-06-04 21:25 ` Noam Postavsky
2016-06-05 7:36 ` martin rudalics
0 siblings, 1 reply; 11+ messages in thread
From: Noam Postavsky @ 2016-06-04 21:25 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 3552
[-- Attachment #1: Type: text/plain, Size: 260 bytes --]
On Sat, Jun 4, 2016 at 1:55 PM, Eli Zaretskii <eliz@gnu.org> wrote:
> I would use
>
> if (pos <= beg)
> break;
> DEC_BOTH (pos, pos_byte);
Oh yeah, that makes sense; parallels with the same check at the
beginning of the function. Full patch attached.
[-- Attachment #2: 0001-Fbackward_prefix_chars-stay-within-buffer-bounds.patch --]
[-- Type: text/x-diff, Size: 1273 bytes --]
From fb739ee2f83df58266c8bfc6a0e4426fed5b5890 Mon Sep 17 00:00:00 2001
From: Noam Postavsky <npostavs@gmail.com>
Date: Sat, 4 Jun 2016 09:02:20 -0400
Subject: [PATCH] Fbackward_prefix_chars: stay within buffer bounds
The commit 1fd3172d "(Fbackward_prefix_chars): Set point properly while
scanning" (1998-03-18), moved the check against of the position against the
buffer beginning out the loop condition so that we might end up checking
the syntax of characters before the beginning of the buffer. This can
cause segfaults or trigger a "Point before start of properties" error in
`update_interval' (called indirectly from `char_quoted').
* src/syntax.c (Fbackward_prefix_chars): Stop the loop when beginning of
buffer is reached (Bug #3552).
---
src/syntax.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/syntax.c b/src/syntax.c
index 8e14bf3..b1ba5c6 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -3109,8 +3109,9 @@ DEFUN ("backward-prefix-chars", Fbackward_prefix_chars, Sbackward_prefix_chars,
opoint = pos;
opoint_byte = pos_byte;
- if (pos + 1 > beg)
- DEC_BOTH (pos, pos_byte);
+ if (pos <= beg)
+ break;
+ DEC_BOTH (pos, pos_byte);
}
SET_PT_BOTH (opoint, opoint_byte);
--
2.8.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-04 21:25 ` Noam Postavsky
@ 2016-06-05 7:36 ` martin rudalics
2016-06-05 13:35 ` Noam Postavsky
0 siblings, 1 reply; 11+ messages in thread
From: martin rudalics @ 2016-06-05 7:36 UTC (permalink / raw)
To: Noam Postavsky, Eli Zaretskii; +Cc: 3552
> * src/syntax.c (Fbackward_prefix_chars): Stop the loop when beginning of
> buffer is reached (Bug #3552).
Make it
* src/syntax.c (Fbackward_prefix_chars): Stop the loop when beginning of
buffer is reached (Bug#3552, Bug#19379).
martin
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-05 7:36 ` martin rudalics
@ 2016-06-05 13:35 ` Noam Postavsky
2016-06-16 2:07 ` Noam Postavsky
0 siblings, 1 reply; 11+ messages in thread
From: Noam Postavsky @ 2016-06-05 13:35 UTC (permalink / raw)
To: martin rudalics; +Cc: 3552
[-- Attachment #1: Type: text/plain, Size: 371 bytes --]
forcemerge 3552 17132 19379
quit
On Sun, Jun 5, 2016 at 3:36 AM, martin rudalics <rudalics@gmx.at> wrote:
> Make it
>
> * src/syntax.c (Fbackward_prefix_chars): Stop the loop when beginning of
> buffer is reached (Bug#3552, Bug#19379).
Heh, seeing that I decided to search the bug database for
backwards-prefix-chars and found also Bug #17132. Updated patch
attached.
[-- Attachment #2: 0001-Fbackward_prefix_chars-stay-within-buffer-bounds.patch --]
[-- Type: text/x-diff, Size: 1297 bytes --]
From 985874ebcfae96983857e819f570cac3551052c7 Mon Sep 17 00:00:00 2001
From: Noam Postavsky <npostavs@gmail.com>
Date: Sat, 4 Jun 2016 09:02:20 -0400
Subject: [PATCH] Fbackward_prefix_chars: stay within buffer bounds
The commit 1fd3172d "(Fbackward_prefix_chars): Set point properly while
scanning" (1998-03-18), moved the check against of the position against the
buffer beginning out the loop condition so that we might end up checking
the syntax of characters before the beginning of the buffer. This can
cause segfaults or trigger a "Point before start of properties" error in
`update_interval' (called indirectly from `char_quoted').
* src/syntax.c (Fbackward_prefix_chars): Stop the loop when beginning of
buffer is reached (Bug #3552, Bug #17132, Bug #19379).
---
src/syntax.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/syntax.c b/src/syntax.c
index 8e14bf3..b1ba5c6 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -3109,8 +3109,9 @@ DEFUN ("backward-prefix-chars", Fbackward_prefix_chars, Sbackward_prefix_chars,
opoint = pos;
opoint_byte = pos_byte;
- if (pos + 1 > beg)
- DEC_BOTH (pos, pos_byte);
+ if (pos <= beg)
+ break;
+ DEC_BOTH (pos, pos_byte);
}
SET_PT_BOTH (opoint, opoint_byte);
--
2.8.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-05 13:35 ` Noam Postavsky
@ 2016-06-16 2:07 ` Noam Postavsky
2016-06-16 15:05 ` Eli Zaretskii
0 siblings, 1 reply; 11+ messages in thread
From: Noam Postavsky @ 2016-06-16 2:07 UTC (permalink / raw)
To: martin rudalics; +Cc: 3552
Is it okay to install this to emacs-25? While the bug is
long-standing, I think it's important enough to go in the release
since it can crash Emacs.
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-16 2:07 ` Noam Postavsky
@ 2016-06-16 15:05 ` Eli Zaretskii
2016-06-17 3:20 ` Noam Postavsky
0 siblings, 1 reply; 11+ messages in thread
From: Eli Zaretskii @ 2016-06-16 15:05 UTC (permalink / raw)
To: Noam Postavsky; +Cc: 3552
> From: Noam Postavsky <npostavs@users.sourceforge.net>
> Date: Wed, 15 Jun 2016 22:07:43 -0400
> Cc: Eli Zaretskii <eliz@gnu.org>, 3552@debbugs.gnu.org
>
> Is it okay to install this to emacs-25?
I was sure you already did.
Yes, please.
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties
2016-06-16 15:05 ` Eli Zaretskii
@ 2016-06-17 3:20 ` Noam Postavsky
0 siblings, 0 replies; 11+ messages in thread
From: Noam Postavsky @ 2016-06-17 3:20 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 3552-done
Version: 25.1
On Thu, Jun 16, 2016 at 11:05 AM, Eli Zaretskii <eliz@gnu.org> wrote:
>> From: Noam Postavsky <npostavs@users.sourceforge.net>
>> Date: Wed, 15 Jun 2016 22:07:43 -0400
>> Cc: Eli Zaretskii <eliz@gnu.org>, 3552@debbugs.gnu.org
>>
>> Is it okay to install this to emacs-25?
>
> I was sure you already did.
>
> Yes, please.
Now pushed as b49cb0ab
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-06-17 3:20 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-06-13 10:40 bug#3552: 23.0.94; backward-prefix-chars: Point before start of properties Johan =?UTF-8?Q?Bockg=C3=A5rd
2016-06-03 3:34 ` Noam Postavsky
2016-06-04 13:35 ` Noam Postavsky
2016-06-04 15:22 ` Noam Postavsky
2016-06-04 17:55 ` Eli Zaretskii
2016-06-04 21:25 ` Noam Postavsky
2016-06-05 7:36 ` martin rudalics
2016-06-05 13:35 ` Noam Postavsky
2016-06-16 2:07 ` Noam Postavsky
2016-06-16 15:05 ` Eli Zaretskii
2016-06-17 3:20 ` Noam Postavsky
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).