From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Dan Nicolaescu <dann@ics.uci.edu>
Newsgroups: gmane.emacs.devel
Subject: Problem report #85
Date: Wed, 10 May 2006 18:20:45 -0700
Message-ID: <200605110120.k4B1Kjfj011062@scanner2.ics.uci.edu>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1147310782 22928 80.91.229.2 (11 May 2006 01:26:22 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Thu, 11 May 2006 01:26:22 +0000 (UTC)
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu May 11 03:26:18 2006
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1FdzwS-0006OT-JO
	for ged-emacs-devel@m.gmane.org; Thu, 11 May 2006 03:26:12 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1FdzwR-0003Nm-HD
	for ged-emacs-devel@m.gmane.org; Wed, 10 May 2006 21:26:11 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1FdzwE-0003N7-Ke
	for emacs-devel@gnu.org; Wed, 10 May 2006 21:25:58 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1FdzwD-0003Mt-TX
	for emacs-devel@gnu.org; Wed, 10 May 2006 21:25:58 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1FdzwD-0003Mq-Oj
	for emacs-devel@gnu.org; Wed, 10 May 2006 21:25:57 -0400
Original-Received: from [128.195.1.36] (helo=scanner2.ics.uci.edu)
	by monty-python.gnu.org with esmtp (Exim 4.52) id 1Fdzxc-0007YG-JV
	for emacs-devel@gnu.org; Wed, 10 May 2006 21:27:24 -0400
Original-Received: from vino.ics.uci.edu (vino.ics.uci.edu [128.195.11.198])
	by scanner2.ics.uci.edu (8.13.6/8.13.5) with ESMTP id k4B1Kjfj011062
	for <emacs-devel@gnu.org>; Wed, 10 May 2006 18:20:45 -0700 (PDT)
Original-To: emacs-devel@gnu.org
Mail-Followup-To: emacs-devel@gnu.org
Original-Lines: 132
X-ICS-MailScanner: Found to be clean
X-ICS-MailScanner-SpamCheck: not spam (whitelisted),
	SpamAssassin (score=-1.363, required 5, autolearn=disabled,
	ALL_TRUSTED -1.44, TW_UF 0.08)
X-ICS-MailScanner-From: dann@vino.ics.uci.edu
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:54213
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/54213>


CID: 85
Checker: USE_AFTER_FREE (help)
File: base/src/emacs/src/fileio.c
Function: Finsert_file_contents
Description: Using freed pointer "conversion_buffer"

Event freed_arg: Pointer "conversion_buffer" freed by function "xfree" [model]
Also see events: [double_free][double_free][use_after_free][use_after_free]

4326 		  xfree (conversion_buffer);
4327 		  coding_free_composition_data (&coding);

At conditional (1): "how_much == -1" taking false path

4328 		  if (how_much == -1)
4329 		    error ("IO error reading %s: %s",
4330 			   SDATA (orig_filename), emacs_strerror (errno));

At conditional (2): "how_much == -2" taking false path

4331 		  else if (how_much == -2)
4332 		    error ("maximum buffer size exceeded");
4333 		}
4334 	
4335 	      /* Compare the beginning of the converted file
4336 		 with the buffer text.  */
4337 	
4338 	      bufpos = 0;

Event use_after_free: Using freed pointer "conversion_buffer"
Also see events: [freed_arg][double_free][double_free][use_after_free]
At conditional (3): "bufpos < inserted" taking false path

4339 	      while (bufpos < inserted && same_at_start < same_at_end
4340 		     && FETCH_BYTE (same_at_start) == conversion_buffer[bufpos])
4341 		same_at_start++, bufpos++;
4342 	
4343 	      /* If the file matches the buffer completely,
4344 		 there's no need to replace anything.  */
4345 	

At conditional (4): "bufpos == inserted" taking true path

4346 	      if (bufpos == inserted)
4347 		{

Event double_free: Double free of pointer "conversion_buffer" in call to "xfree" [model]
Also see events: [freed_arg][double_free][use_after_free][use_after_free]

4348 		  xfree (conversion_buffer);
4349 		  coding_free_composition_data (&coding);
4350 		  emacs_close (fd);
4351 		  specpdl_ptr--;
4352 		  /* Truncate the buffer to the size of the file.  */
4353 		  del_range_byte (same_at_start, same_at_end, 0);
4354 		  inserted = 0;
4355 		  goto handled;
4356 		}
4357 	
4358 	      /* Extend the start of non-matching text area to multibyte
4359 		 character boundary.  */
4360 	      if (! NILP (current_buffer->enable_multibyte_characters))
4361 		while (same_at_start > BEGV_BYTE
4362 		       && ! CHAR_HEAD_P (FETCH_BYTE (same_at_start)))
4363 		  same_at_start--;
4364 	
4365 	      /* Scan this bufferful from the end, comparing with
4366 		 the Emacs buffer.  */
4367 	      bufpos = inserted;
4368 	
4369 	      /* Compare with same_at_start to avoid counting some buffer text
4370 		 as matching both at the file's beginning and at the end.  */

Event use_after_free: Using freed pointer "conversion_buffer"
Also see events: [freed_arg][double_free][double_free][use_after_free]

4371 	      while (bufpos > 0 && same_at_end > same_at_start
4372 		     && FETCH_BYTE (same_at_end - 1) == conversion_buffer[bufpos - 1])
4373 		same_at_end--, bufpos--;
4374 	
4375 	      /* Extend the end of non-matching text area to multibyte
4376 		 character boundary.  */
4377 	      if (! NILP (current_buffer->enable_multibyte_characters))
4378 		while (same_at_end < ZV_BYTE
4379 		       && ! CHAR_HEAD_P (FETCH_BYTE (same_at_end)))
4380 		  same_at_end++;
4381 	
4382 	      /* Don't try to reuse the same piece of text twice.  */
4383 	      overlap = same_at_start - BEGV_BYTE - (same_at_end + inserted - ZV_BYTE);
4384 	      if (overlap > 0)
4385 		same_at_end += overlap;
4386 	
4387 	      /* If display currently starts at beginning of line,
4388 		 keep it that way.  */
4389 	      if (XBUFFER (XWINDOW (selected_window)->buffer) == current_buffer)
4390 		XWINDOW (selected_window)->start_at_line_beg = Fbolp ();
4391 	
4392 	      /* Replace the chars that we need to replace,
4393 		 and update INSERTED to equal the number of bytes
4394 		 we are taking from the file.  */
4395 	      inserted -= (ZV_BYTE - same_at_end) + (same_at_start - BEGV_BYTE);
4396 	
4397 	      if (same_at_end != same_at_start)
4398 		{
4399 		  del_range_byte (same_at_start, same_at_end, 0);
4400 		  temp = GPT;
4401 		  same_at_start = GPT_BYTE;
4402 		}
4403 	      else
4404 		{
4405 		  temp = BYTE_TO_CHAR (same_at_start);
4406 		}
4407 	      /* Insert from the file at the proper position.  */
4408 	      SET_PT_BOTH (temp, same_at_start);
4409 	      insert_1 (conversion_buffer + same_at_start - BEGV_BYTE, inserted,
4410 			0, 0, 0);
4411 	      if (coding.cmp_data && coding.cmp_data->used)
4412 		coding_restore_composition (&coding, Fcurrent_buffer ());
4413 	      coding_free_composition_data (&coding);
4414 	
4415 	      /* Set `inserted' to the number of inserted characters.  */
4416 	      inserted = PT - temp;
4417 	      /* Set point before the inserted characters.  */
4418 	      SET_PT_BOTH (temp, same_at_start);
4419 	

Event double_free: Double free of pointer "conversion_buffer" in call to "xfree" [model]
Also see events: [freed_arg][double_free][use_after_free][use_after_free]

4420 	      xfree (conversion_buffer);
4421 	      emacs_close (fd);