From: Kenichi Handa <handa@m17n.org>
Cc: emacs-devel@gnu.org
Subject: Re: editfns.c (Fformat): fix for segfault
Date: Mon, 28 Apr 2003 11:36:24 +0900 (JST) [thread overview]
Message-ID: <200304280236.LAA10379@etlken.m17n.org> (raw)
In-Reply-To: <851xzo9f2l.fsf@pi.meyering.net> (message from Jim Meyering on Sun, 27 Apr 2003 16:42:58 +0200)
In article <851xzo9f2l.fsf@pi.meyering.net>, Jim Meyering <jim@meyering.net> writes:
> I tried using a snapshot from today's CVS repository with Gnus.
> I got a segfault within a minute or two:
> pi$ gdb --args /p/bin/emacs -f gnus-no-server
> (gdb) r
> Starting program: /u/p/bin/emacs -f gnus-no-server
> Program received signal SIGSEGV, Segmentation fault.
> 0x081718e2 in Fformat (nargs=4, args=0xbfffe194)
> at /mirror/d/emacs/src/editfns.c:3486
> 3486 discarded[format - format_start] = 1;
> (gdb) p format
> $1 = (unsigned char *) 0x91788b4 "%S %d %d y\n"
> (gdb) p format_start
> $2 = (unsigned char *) 0x90cff34 "%s %d %d y\n"
Thank you for the report. I found a problem in the code of
Fformat.
> This patch seems to have fixed it, at least to the extent
> that with it, I can no longer reproduce the problem.
[...]
> /* Scan the format and store result in BUF. */
> format = SDATA (args[0]);
> + format_start = format;
> + end = format + SBYTES (args[0]);
> maybe_combine_byte = 0;
> while (format != end)
> {
I think it's not enough.
This is my analysis. In the first scan, Fchar_to_string or
Fprint1_to_string are called, and they will relocate a data
of a Lisp string (in the current case, args[0]). When that
happens, the area pointed to by `format' becomes invalid.
So, after each call of them, we must update format,
format_start, and end. Another way is to copy the byte
sequence of args[0] into some safe area alloced or malloced.
Could some Emacs developper confirm my analysis and, if it
is correct, fix the code along this line. Currently, I
don't have a time to do that by myself.
---
Ken'ichi HANDA
handa@m17n.org
next parent reply other threads:[~2003-04-28 2:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <851xzo9f2l.fsf@pi.meyering.net>
2003-04-28 2:36 ` Kenichi Handa [this message]
2003-04-28 23:38 ` editfns.c (Fformat): fix for segfault Richard Stallman
2003-04-29 2:50 ` Kenichi Handa
2003-04-29 19:28 ` Richard Stallman
2003-05-03 14:10 ` Jim Meyering
2003-05-04 13:04 ` Richard Stallman
2003-05-05 8:47 ` Jim Meyering
2003-05-05 19:10 ` Richard Stallman
2003-05-07 9:27 ` Jim Meyering
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200304280236.LAA10379@etlken.m17n.org \
--to=handa@m17n.org \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).