From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Chong Yidong Newsgroups: gmane.emacs.devel,gmane.emacs.pretest.bugs Subject: Re: memory corruption in regex.c Date: Sat, 22 Mar 2008 17:34:05 -0400 Message-ID: <87abkqo33m.fsf@stupidchicken.com> References: <200803221125.m2MBPZ7q021670@livre.oliva.athome.lsd.ic.unicamp.br> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1206221844 13027 80.91.229.12 (22 Mar 2008 21:37:24 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 22 Mar 2008 21:37:24 +0000 (UTC) Cc: emacs-pretest-bug@gnu.org To: Alexandre Oliva Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Mar 22 22:37:54 2008 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1JdBPP-0002Hr-T1 for ged-emacs-devel@m.gmane.org; Sat, 22 Mar 2008 22:37:48 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JdBOp-0006Mw-6a for ged-emacs-devel@m.gmane.org; Sat, 22 Mar 2008 17:37:11 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1JdBOk-0006MN-Nn for emacs-devel@gnu.org; Sat, 22 Mar 2008 17:37:06 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1JdBOj-0006Lz-8U for emacs-devel@gnu.org; Sat, 22 Mar 2008 17:37:06 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JdBOj-0006Lw-1A for emacs-devel@gnu.org; Sat, 22 Mar 2008 17:37:05 -0400 Original-Received: from fencepost.gnu.org ([140.186.70.10]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1JdBOi-0001UP-QS for emacs-devel@gnu.org; Sat, 22 Mar 2008 17:37:04 -0400 Original-Received: from mail.gnu.org ([199.232.76.166] helo=mx10.gnu.org) by fencepost.gnu.org with esmtp (Exim 4.67) (envelope-from ) id 1JdBOi-0005AC-Ib for emacs-pretest-bug@gnu.org; Sat, 22 Mar 2008 17:37:04 -0400 Original-Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1JdBOf-0001Te-El for emacs-pretest-bug@gnu.org; Sat, 22 Mar 2008 17:37:04 -0400 Original-Received: from cyd.mit.edu ([18.115.2.24]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1JdBOf-0001TW-6A for emacs-pretest-bug@gnu.org; Sat, 22 Mar 2008 17:37:01 -0400 Original-Received: by cyd.mit.edu (Postfix, from userid 1000) id E0A254E4B8; Sat, 22 Mar 2008 17:34:05 -0400 (EDT) In-Reply-To: <200803221125.m2MBPZ7q021670@livre.oliva.athome.lsd.ic.unicamp.br> (Alexandre Oliva's message of "Sat\, 22 Mar 2008 08\:25\:35 -0300") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1.92 (gnu/linux) X-detected-kernel: by monty-python.gnu.org: Linux 2.6 (newer, 2) X-detected-kernel: by monty-python.gnu.org: Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:93207 gmane.emacs.pretest.bugs:21657 Archived-At: Alexandre Oliva writes: > https://bugzilla.redhat.com/show_bug.cgi?id=435767 > > emacs invokes undefined behavior in regex.c, computing the difference > between unrelated pointers. In general, this wouldn't be too much of > a problem, as long as the type used to represent the difference was > wide enough to cover the entire possible range of pointer differences. > > Such a type is not even guaranteed to exist, and it can be tricky to > get reasonable results on segmented architectures. So, the correct > code needs to compute offsets between pointers in the old buffer, and > apply the same offset into the new buffer. On most cases, the > compiler will just optimize the code to the same we got before on > i386, and to something very close, but using a 64-bit offset on > x86-64. This sounds correct. Thanks very much for catching this bug. I don't see any problem with your patch, except: > - re_char *old_buffer = bufp->buffer; \ > + unsigned char *old_buffer = bufp->buffer; \ What is the purpose of this?