segfault by emacs -nw

segfault by emacs -nw

[Kenichi Handa]

With today's CVS HEAD, emacs -nw always crashes as below:

(gdb) run -nw
Starting program: /usr/local/work/emacs-head/src/emacs -nw

Program received signal SIGSEGV, Segmentation fault.
Fcons (car=405679812, cdr=1479496976) at alloc.c:2338
2338          cons_free_list = *(struct Lisp_Cons **)&cons_free_list->cdr;
(gdb) bt 5
#0  Fcons (car=405679812, cdr=1479496976) at alloc.c:2338
#1  0x0811d320 in Flist (nargs=2, args=0xbfffeb60) at alloc.c:2413
#2  0x08132273 in funcall_lambda (fun=1209889188, nargs=4, 
    arg_vector=0xbfffeb58) at eval.c:2885
#3  0x08131f71 in Ffuncall (nargs=5, args=0xbfffeb54) at eval.c:2781
#4  0x0815920c in Fbyte_code (bytestr=941466652, vector=1209902156, maxdepth=6)
    at bytecode.c:710
(More stack frames follow...)
(gdb) xbacktrace
"set-face-attribute"
"face-spec-reset-face"
"face-spec-set"
"frame-set-background-mode"
"tty-set-up-initial-frame-faces"

I remember it worked a week ago.

---
Ken'ichi HANDA
handa@m17n.org

Re: segfault by emacs -nw

[Terje Rosten]

* Kenichi Handa
| 
| With today's CVS HEAD, emacs -nw always crashes as below:

Reverting this patch seems to fix it here:

<URL: http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/src/term.c.diff?r1=1.146&r2=1.147&sortby=date>

The change is from:

2003-08-19  Gerd Moellmann  <gerd@gnu.org>

        * s/freebsd.h [__FreeBSD_version >= 400000]: Define TERMINFO,
        use -lncurses.

        * term.c (term_init): Use a buffer of size 4096 for tgetent since
        FreeBSD returns something longer than 2044.  Abort if the end of
        the buffer is overwritten.


 - Terje

Re: segfault by emacs -nw

[Kenichi Handa]

Terje Rosten <terjeros@phys.ntnu.no> writes:
> | With today's CVS HEAD, emacs -nw always crashes as below:

> Reverting this patch seems to fix it here:

> <URL: http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/src/term.c.diff?r1=1.146&r2=1.147&sortby=date>

> The change is from:

> 2003-08-19  Gerd Moellmann  <gerd@gnu.org>

>         * s/freebsd.h [__FreeBSD_version >= 400000]: Define TERMINFO,
>         use -lncurses.

>         * term.c (term_init): Use a buffer of size 4096 for tgetent since
>         FreeBSD returns something longer than 2044.  Abort if the end of
>         the buffer is overwritten.

Thank you for the info.   I think I found what is wrong with
the above patch.

The current code is like this:
----------------------------------------------------------------------
  buffer = (char *) xmalloc (buffer_size);
  status = tgetent (buffer, terminal_type);
[...]
  if (strlen (buffer) >= buffer_size)
    abort ();
  
  area = (char *) xmalloc (strlen (buffer));
----------------------------------------------------------------------

But, on GNU/Linux, the argument `buffer' of tgetent is
ignored.  This is the man page for tgetent.

SYNOPSIS
[...]
       int tgetent(char *bp, const char *name);
[...]
       These routines are included as a conversion aid  for  pro-
       grams  that use the termcap library.  Their parameters are
       the same and the routines are emulated using the  terminfo
       database.   Thus, they can only be used to query the capa-
       bilities of entries for which a terminfo  entry  has  been
       compiled.

       The  tgetent routine loads the entry for name.  It returns
       1 on success, 0 if there is no such entry, and -1  if  the
       terminfo  database  could  not  be  found.   The emulation
       ignores the buffer pointer bp.
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

So, in my environment, the memory allocated for `area' is
too small which leads to buffer overrun.  I've just
installed the attached change.

---
Ken'ichi HANDA
handa@m17n.org


2003-08-21  Kenichi Handa  <handa@m17n.org>

	* term.c (term_init): Fix previous change; don't rely on the
	length of `buffer' if TERMINFO is defined.

Index: term.c
===================================================================
RCS file: /cvsroot/emacs/emacs/src/term.c,v
retrieving revision 1.147
diff -u -c -r1.147 term.c
cvs server: conflicting specifications of output style
*** term.c	19 Aug 2003 23:47:22 -0000	1.147
--- term.c	21 Aug 2003 11:34:21 -0000
***************
*** 2229,2238 ****
  #endif
      }
  
    if (strlen (buffer) >= buffer_size)
      abort ();
!   
!   area = (char *) xmalloc (strlen (buffer));
  
    TS_ins_line = tgetstr ("al", address);
    TS_ins_multi_lines = tgetstr ("AL", address);
--- 2229,2240 ----
  #endif
      }
  
+ #ifndef TERMINFO
    if (strlen (buffer) >= buffer_size)
      abort ();
!   buffer_size = strlen (buffer);
! #endif
!   area = (char *) xmalloc (buffer_size);
  
    TS_ins_line = tgetstr ("al", address);
    TS_ins_multi_lines = tgetstr ("AL", address);

Re: segfault by emacs -nw

[Gerd Moellmann]

Kenichi Handa <handa@m17n.org> writes:

> But, on GNU/Linux, the argument `buffer' of tgetent is
> ignored.  This is the man page for tgetent.

Wow.  What a mess.  Thanks for fixing this.