unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Kenichi Handa <handa@m17n.org>
Cc: emacs-devel@gnu.org
Subject: Re: Problem report #85  RESOLVED
Date: Thu, 11 May 2006 13:14:59 +0900	[thread overview]
Message-ID: <E1Fe2Zn-0003km-00@etlken> (raw)
In-Reply-To: <200605110120.k4B1Kjfj011062@scanner2.ics.uci.edu> (message from Dan Nicolaescu on Wed, 10 May 2006 18:20:45 -0700)

In article <200605110120.k4B1Kjfj011062@scanner2.ics.uci.edu>, Dan Nicolaescu <dann@ics.uci.edu> writes:

> CID: 85
> Checker: USE_AFTER_FREE (help)
> File: base/src/emacs/src/fileio.c
> Function: Finsert_file_contents
> Description: Using freed pointer "conversion_buffer"

> Event freed_arg: Pointer "conversion_buffer" freed by function "xfree" [model]
> Also see events: [double_free][double_free][use_after_free][use_after_free]

> 4326 		  xfree (conversion_buffer);
> 4327 		  coding_free_composition_data (&coding);

> At conditional (1): "how_much == -1" taking false path

> 4328 		  if (how_much == -1)
> 4329 		    error ("IO error reading %s: %s",
> 4330 			   SDATA (orig_filename), emacs_strerror (errno));

> At conditional (2): "how_much == -2" taking false path

> 4331 		  else if (how_much == -2)
> 4332 		    error ("maximum buffer size exceeded");
> 4333 		}

This part of the code is surely suspicious.  Now the
relevant code is this:

      /* At this point, INSERTED is how many characters (i.e. bytes)
	 are present in CONVERSION_BUFFER.
	 HOW_MUCH should equal TOTAL,
	 or should be <= 0 if we couldn't read the file.  */

      if (how_much < 0)
	{
	  xfree (conversion_buffer);
	  coding_free_composition_data (&coding);
	  if (how_much == -1)
	    error ("IO error reading %s: %s",
		   SDATA (orig_filename), emacs_strerror (errno));
	  else if (how_much == -2)
	    error ("maximum buffer size exceeded");
	}

I think we must always signal an error if how_mach < 0.
And, I see no code setting how_much to -2 before there.
how_mach is set to negative only if emacs_read returned a
negative value.  In addition, we don't have to check
exceeding of buffer size here (it's done in insert_1) later.
So, I've just installed this change.

2006-05-11  Kenichi Handa  <handa@m17n.org>

	* fileio.c (Finsert_file_contents): Fix for the case of IO error
	while handling replace operation.

*** fileio.c	08 May 2006 13:13:09 +0900	1.564
--- fileio.c	11 May 2006 13:07:04 +0900	
***************
*** 4325,4335 ****
  	{
  	  xfree (conversion_buffer);
  	  coding_free_composition_data (&coding);
! 	  if (how_much == -1)
! 	    error ("IO error reading %s: %s",
! 		   SDATA (orig_filename), emacs_strerror (errno));
! 	  else if (how_much == -2)
! 	    error ("maximum buffer size exceeded");
  	}
  
        /* Compare the beginning of the converted file
--- 4325,4332 ----
  	{
  	  xfree (conversion_buffer);
  	  coding_free_composition_data (&coding);
! 	  error ("IO error reading %s: %s",
! 		 SDATA (orig_filename), emacs_strerror (errno));
  	}
  
        /* Compare the beginning of the converted file

---
Kenichi Handa
handa@m17n.org

  reply	other threads:[~2006-05-11  4:14 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-11  1:20 Problem report #85 Dan Nicolaescu
2006-05-11  4:14 ` Kenichi Handa [this message]
2006-05-11  6:58 ` Jan Djärv

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E1Fe2Zn-0003km-00@etlken \
    --to=handa@m17n.org \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).