From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Sergei Litvin Newsgroups: gmane.emacs.bugs Subject: bug#24064: 24.5; NULL pointer dereference in compute_motion(), indent.c Date: Mon, 25 Jul 2016 02:51:40 +0300 Message-ID: <18720133-6691-74c9-528f-3baee920b421@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------A207A53FA4F3E47B25AED2D6" X-Trace: ger.gmane.org 1469414491 11363 80.91.229.3 (25 Jul 2016 02:41:31 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 25 Jul 2016 02:41:31 +0000 (UTC) To: 24064@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Jul 25 04:41:18 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1bRVpV-0006dQ-Gq for geb-bug-gnu-emacs@m.gmane.org; Mon, 25 Jul 2016 04:41:17 +0200 Original-Received: from localhost ([::1]:58327 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bRVpU-0006IZ-R4 for geb-bug-gnu-emacs@m.gmane.org; Sun, 24 Jul 2016 22:41:16 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:35898) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bRVpL-0006Fm-Is for bug-gnu-emacs@gnu.org; Sun, 24 Jul 2016 22:41:08 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bRVpG-0004vD-I3 for bug-gnu-emacs@gnu.org; Sun, 24 Jul 2016 22:41:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:52097) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bRVpG-0004v9-Dl for bug-gnu-emacs@gnu.org; Sun, 24 Jul 2016 22:41:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1bRVpG-0006WJ-97 for bug-gnu-emacs@gnu.org; Sun, 24 Jul 2016 22:41:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Sergei Litvin Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 25 Jul 2016 02:41:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 24064 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.146941445625042 (code B ref -1); Mon, 25 Jul 2016 02:41:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 25 Jul 2016 02:40:56 +0000 Original-Received: from localhost ([127.0.0.1]:36201 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bRVp9-0006Vq-Ls for submit@debbugs.gnu.org; Sun, 24 Jul 2016 22:40:55 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:54963) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bRTBb-0002J6-GD for submit@debbugs.gnu.org; Sun, 24 Jul 2016 19:51:55 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bRTBV-0002Xd-Dx for submit@debbugs.gnu.org; Sun, 24 Jul 2016 19:51:50 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:33289) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bRTBV-0002XU-AM for submit@debbugs.gnu.org; Sun, 24 Jul 2016 19:51:49 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45922) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bRTBS-0000zK-PR for bug-gnu-emacs@gnu.org; Sun, 24 Jul 2016 19:51:48 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bRTBP-0002X9-Jm for bug-gnu-emacs@gnu.org; Sun, 24 Jul 2016 19:51:46 -0400 Original-Received: from mail-lf0-x22b.google.com ([2a00:1450:4010:c07::22b]:35986) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bRTBP-0002Wu-6n for bug-gnu-emacs@gnu.org; Sun, 24 Jul 2016 19:51:43 -0400 Original-Received: by mail-lf0-x22b.google.com with SMTP id g62so117655320lfe.3 for ; Sun, 24 Jul 2016 16:51:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version; bh=+/Iq1OXUGiHNsT4g0Yifh86baYST7BL0BKfrS3/SWFE=; b=kQsiVilhtYjuQoSo6C7pUSuk7YyD8RZ3tZcsRaS2JtPDVSDhBeuq3t+tvMe+Crq0LH v/A6ZrL3bmDWcw4AgkBgJYWfPtWLzMIM1rptUNMrT/e0+CswPkTZWZhJWN0XK9FBvMgE IxZ7rvvSbU0y98olwLCo7ADRb+dyaFCEEezp7Uz6zzY6mYEbOUkPBvwOLivSBKPuclSx MHg12Fz9PVLiYIXTv1foyEFoRcBggfCZ5GmwUuYdxZLDJUKnf7nyuMT05PJFfmtw7fkW MktKU76XyN7fjNJ8epjci533vzdj35T3QapQImYcFmuOXgrFmFNFzdsU4ufDgl1haK5o Wl1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=+/Iq1OXUGiHNsT4g0Yifh86baYST7BL0BKfrS3/SWFE=; b=JixMQkbfJTmb32V3xoybhh+mHWyCHh8S1L6W+euMqDJN2FD+ONrvI1G9MDCFctVZRa hYdn16xS5hG3IRoK5RC47FkXoWjlOV6IyBXGYZ3Fd+XW6kph28M8XZHWVgjYZdVxcQK8 uBTWXFtG8UUA4/94xjLuzcTLUgJs8RlZbtQwUaasA9orzW8eb1Ck6WRb0Gcydbp/mbEL TjqRWcTfnuM0OqKmZLpRcFJjJawd97yuFYq6FZCuaoSqunY6Po47WoUS7HpOpcBshJMI DwlcY5rZaa1oZbESU3eUEiRjdTOKXfvBBIu64xVX+IFpeE+Eb/TasBlJa9Ma/E2cMb58 vaow== X-Gm-Message-State: AEkooutWK2szpwQU36baFLo5LjToOaifWJnh2JkOHOcMDKYrGoTCADIVXpg9qsTZw6Nc5w== X-Received: by 10.25.210.80 with SMTP id j77mr6081321lfg.139.1469404301573; Sun, 24 Jul 2016 16:51:41 -0700 (PDT) Original-Received: from [192.168.0.114] (93-81-77-76.broadband.corbina.ru. [93.81.77.76]) by smtp.googlemail.com with ESMTPSA id l19sm5072031lfi.24.2016.07.24.16.51.40 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Jul 2016 16:51:41 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Mailman-Approved-At: Sun, 24 Jul 2016 22:40:54 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:121506 Archived-At: This is a multi-part message in MIME format. --------------A207A53FA4F3E47B25AED2D6 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Package: emacs Version: 24.5 struct position * compute_motion (ptrdiff_t from, ptrdiff_t frombyte, EMACS_INT fromvpos, EMACS_INT fromhpos, bool did_motion, ptrdiff_t to, EMACS_INT tovpos, EMACS_INT tohpos, EMACS_INT width, ptrdiff_t hscroll, int tab_offset, struct window *win) { ... if (dp == buffer_display_table ()) width_table = (VECTORP (BVAR (current_buffer, width_table)) ? XVECTOR (BVAR (current_buffer, width_table))->contents : 0); else /* If the window has its own display table, we can't use the width run cache, because that's based on the buffer's display table. */ width_table = 0; // initialize it with 0 (current buffer has no display table) ... if (width_cache) { /* Is this character part of the current run? If so, extend the run. */ if (pos - 1 == width_run_end && XFASTINT (width_table[c]) == width_run_width) // dereference width_table here, and crash width_run_end = pos; ... Sergei Litvin --------------A207A53FA4F3E47B25AED2D6 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Package: emacs

Version: 24.5

struct position *
compute_motion (ptrdiff_t from, ptrdiff_t frombyte, EMACS_INT fromvpos,
        EMACS_INT fromhpos, bool did_motion, ptrdiff_t to,
        EMACS_INT tovpos, EMACS_INT tohpos, EMACS_INT width,
        ptrdiff_t hscroll, int tab_offset, struct window *win)
{

...

  if (dp == buffer_display_table ())
    width_table = (VECTORP (BVAR (current_buffer, width_table))
                   ? XVECTOR (BVAR (current_buffer, width_table))->contents
                   : 0);
  else
    /* If the window has its own display table, we can't use the width
       run cache, because that's based on the buffer's display table.  */
    width_table = 0; // initialize it with 0 (current buffer has no display table)

...

      if (width_cache)
        {
          /* Is this character part of the current run?  If so, extend
         the run.  */
          if (pos - 1 == width_run_end
          && XFASTINT (width_table[c]) == width_run_width) // dereference width_table here, and crash
        width_run_end = pos;
...


Sergei Litvin

--------------A207A53FA4F3E47B25AED2D6--