From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Bernhard Herzog Newsgroups: gmane.emacs.devel Subject: Patch fixing buffer overflow in trunk Date: Tue, 04 May 2010 17:14:41 +0200 Message-ID: NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Trace: dough.gmane.org 1272986193 19490 80.91.229.12 (4 May 2010 15:16:33 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Tue, 4 May 2010 15:16:33 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue May 04 17:16:32 2010 connect(): No such file or directory Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1O9JrM-0001kg-1a for ged-emacs-devel@m.gmane.org; Tue, 04 May 2010 17:16:32 +0200 Original-Received: from localhost ([127.0.0.1]:33608 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1O9JrL-0005yx-Br for ged-emacs-devel@m.gmane.org; Tue, 04 May 2010 11:16:31 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1O9Jpp-0005GU-Lg for emacs-devel@gnu.org; Tue, 04 May 2010 11:14:57 -0400 Original-Received: from [140.186.70.92] (port=50741 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1O9Jpn-0005F6-Or for emacs-devel@gnu.org; Tue, 04 May 2010 11:14:56 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1O9Jpl-00040i-7T for emacs-devel@gnu.org; Tue, 04 May 2010 11:14:55 -0400 Original-Received: from aktaia.intevation.org ([212.95.126.10]:55604 helo=kolab.intevation.de) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1O9Jpk-000407-Sm for emacs-devel@gnu.org; Tue, 04 May 2010 11:14:53 -0400 Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by kolab.intevation.de (Postfix) with ESMTP id 0F99B94D16B for ; Tue, 4 May 2010 17:14:49 +0200 (CEST) X-Virus-Scanned: by amavisd-new at intevation.de Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by kolab.intevation.de (Postfix) with ESMTP id 89CA894D178 for ; Tue, 4 May 2010 17:14:48 +0200 (CEST) Original-Received: from beroe.hq.intevation.de (aktaia.hq.intevation.de [192.168.11.254]) by kolab.intevation.de (Postfix) with ESMTP id 7828894D16B for ; Tue, 4 May 2010 17:14:48 +0200 (CEST) Original-Received: from thoe.hq.intevation.de (thoe.hq.intevation.de [192.168.11.35]) by beroe.hq.intevation.de (Postfix) with SMTP id 6D6835ED4F for ; Tue, 4 May 2010 17:14:48 +0200 (CEST) Original-Received: (nullmailer pid 16222 invoked by uid 10008); Tue, 04 May 2010 15:14:48 -0000 User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:124512 Archived-At: --=-=-= Content-Transfer-Encoding: quoted-printable Hi, since yesterday I've been running into crashes when starting emacs from bzr trunk that seemed to depend on the current working directory. E.g. starting from one particular directory would lead to a practically immediate crash with the output: *** glibc detected *** emacs: malloc(): memory corruption: 0x086c6c90 *** =3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D /lib/libc.so.6[0xb7505845] Changing into another directory, e.g. the parent directory of the one where it just failed, would solve the problem and emacs would start. Investigating further, it seemed to depend on the length of the absolute name of the current directory. And a little bisecting in the bzr history showed that the defect was introduced in revision 100117 in the following lines: =2D-- src/xsmfns.c 2010-02-10 09:29:28 +0000 +++ src/xsmfns.c 2010-05-02 18:44:04 +0000 @@ -246,7 +251,19 @@ =20 props[props_idx]->vals[2].length =3D strlen (NOSPLASH_OPT); props[props_idx]->vals[2].value =3D NOSPLASH_OPT; =2D val_idx +=3D 3; + + cwd =3D get_current_dir_name (); + if (cwd)=20 + { + chdir_opt =3D xmalloc (strlen (CHDIR_OPT) + strlen (client_id) + 1); + strcpy (chdir_opt, CHDIR_OPT); + strcat (chdir_opt, cwd); + + props[props_idx]->vals[3].length =3D strlen (chdir_opt); + props[props_idx]->vals[3].value =3D chdir_opt; + } + + val_idx +=3D cwd ? 4 : 3; ++props_idx; =20 /* User id. */ Clearly, that strlen (client_id) should actually be strlen (cwd). The patch below fixes this. Bernhard =3D=3D=3D modified file 'src/xsmfns.c' =2D-- src/xsmfns.c 2010-05-02 18:44:04 +0000 +++ src/xsmfns.c 2010-05-04 14:33:08 +0000 @@ -255,7 +255,7 @@ cwd =3D get_current_dir_name (); if (cwd)=20 { =2D chdir_opt =3D xmalloc (strlen (CHDIR_OPT) + strlen (client_id) + 1= ); + chdir_opt =3D xmalloc (strlen (CHDIR_OPT) + strlen (cwd) + 1); strcpy (chdir_opt, CHDIR_OPT); strcat (chdir_opt, cwd); =20 --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFL4Dnh0vCiU5+ISsgRAqjdAJ4tTv12K94rvfY5KSUGljxjj+d9ZACcDHve QwVZ0eYYuCfd1LbpA4J4DE8= =WOAa -----END PGP SIGNATURE----- --=-=-=--