From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Kenichi Handa Newsgroups: gmane.emacs.devel Subject: Re: Problem report #85 RESOLVED Date: Thu, 11 May 2006 13:14:59 +0900 Message-ID: References: <200605110120.k4B1Kjfj011062@scanner2.ics.uci.edu> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII X-Trace: sea.gmane.org 1147320972 19850 80.91.229.2 (11 May 2006 04:16:12 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Thu, 11 May 2006 04:16:12 +0000 (UTC) Cc: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu May 11 06:16:08 2006 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1Fe2al-0000bg-1h for ged-emacs-devel@m.gmane.org; Thu, 11 May 2006 06:15:59 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Fe2ak-0000ho-4y for ged-emacs-devel@m.gmane.org; Thu, 11 May 2006 00:15:58 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Fe2aX-0000gq-I0 for emacs-devel@gnu.org; Thu, 11 May 2006 00:15:45 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Fe2aV-0000fB-PM for emacs-devel@gnu.org; Thu, 11 May 2006 00:15:45 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Fe2aV-0000f1-Me for emacs-devel@gnu.org; Thu, 11 May 2006 00:15:43 -0400 Original-Received: from [192.47.44.130] (helo=tsukuba.m17n.org) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.52) id 1Fe2bw-0003gx-55 for emacs-devel@gnu.org; Thu, 11 May 2006 00:17:12 -0400 Original-Received: from nfs.m17n.org (nfs.m17n.org [192.47.44.7]) by tsukuba.m17n.org (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id k4B4FecX026380; Thu, 11 May 2006 13:15:40 +0900 Original-Received: from etlken (etlken.m17n.org [192.47.44.125]) by nfs.m17n.org (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id k4B4FeEk010152; Thu, 11 May 2006 13:15:40 +0900 Original-Received: from handa by etlken with local (Exim 3.36 #1 (Debian)) id 1Fe2Zn-0003km-00; Thu, 11 May 2006 13:14:59 +0900 Original-To: Dan Nicolaescu In-reply-to: <200605110120.k4B1Kjfj011062@scanner2.ics.uci.edu> (message from Dan Nicolaescu on Wed, 10 May 2006 18:20:45 -0700) User-Agent: SEMI/1.14.3 (Ushinoya) FLIM/1.14.2 (Yagi-Nishiguchi) APEL/10.2 Emacs/22.0.50 (i686-pc-linux-gnu) MULE/5.0 (SAKAKI) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:54236 Archived-At: In article <200605110120.k4B1Kjfj011062@scanner2.ics.uci.edu>, Dan Nicolaescu writes: > CID: 85 > Checker: USE_AFTER_FREE (help) > File: base/src/emacs/src/fileio.c > Function: Finsert_file_contents > Description: Using freed pointer "conversion_buffer" > Event freed_arg: Pointer "conversion_buffer" freed by function "xfree" [model] > Also see events: [double_free][double_free][use_after_free][use_after_free] > 4326 xfree (conversion_buffer); > 4327 coding_free_composition_data (&coding); > At conditional (1): "how_much == -1" taking false path > 4328 if (how_much == -1) > 4329 error ("IO error reading %s: %s", > 4330 SDATA (orig_filename), emacs_strerror (errno)); > At conditional (2): "how_much == -2" taking false path > 4331 else if (how_much == -2) > 4332 error ("maximum buffer size exceeded"); > 4333 } This part of the code is surely suspicious. Now the relevant code is this: /* At this point, INSERTED is how many characters (i.e. bytes) are present in CONVERSION_BUFFER. HOW_MUCH should equal TOTAL, or should be <= 0 if we couldn't read the file. */ if (how_much < 0) { xfree (conversion_buffer); coding_free_composition_data (&coding); if (how_much == -1) error ("IO error reading %s: %s", SDATA (orig_filename), emacs_strerror (errno)); else if (how_much == -2) error ("maximum buffer size exceeded"); } I think we must always signal an error if how_mach < 0. And, I see no code setting how_much to -2 before there. how_mach is set to negative only if emacs_read returned a negative value. In addition, we don't have to check exceeding of buffer size here (it's done in insert_1) later. So, I've just installed this change. 2006-05-11 Kenichi Handa * fileio.c (Finsert_file_contents): Fix for the case of IO error while handling replace operation. *** fileio.c 08 May 2006 13:13:09 +0900 1.564 --- fileio.c 11 May 2006 13:07:04 +0900 *************** *** 4325,4335 **** { xfree (conversion_buffer); coding_free_composition_data (&coding); ! if (how_much == -1) ! error ("IO error reading %s: %s", ! SDATA (orig_filename), emacs_strerror (errno)); ! else if (how_much == -2) ! error ("maximum buffer size exceeded"); } /* Compare the beginning of the converted file --- 4325,4332 ---- { xfree (conversion_buffer); coding_free_composition_data (&coding); ! error ("IO error reading %s: %s", ! SDATA (orig_filename), emacs_strerror (errno)); } /* Compare the beginning of the converted file --- Kenichi Handa handa@m17n.org