segfault crash when loading certain rmail files

segfault crash when loading certain rmail files

[Ulf Rehmann]

This bug report will be sent to the Free Software Foundation,
not to your local site managers!
Please write in English, because the Emacs maintainers do not have
translators to read other languages for them.

Your bug report will be posted to the bug-gnu-emacs@gnu.org mailing list,
and to the gnu.emacs.bug news group.

In GNU Emacs 21.2.1 (i386-debian-linux-gnu, X toolkit, Xaw3d scroll bars)
 of 2002-03-22 on raven, modified by Debian
configured using `configure  i386-debian-linux-gnu --prefix=/usr --sharedstatedir=/var/lib --libexecdir=/usr/lib --localstatedir=/var/lib --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes --with-x=yes --with-x-toolkit=athena --without-gif'
Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: nil
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: C
  locale-coding-system: nil
  default-enable-multibyte-characters: t

Please describe exactly what actions triggered the bug
and the precise symptoms of the bug:

Emacs 21.2 crashes with segmentation fault when certain (big?)
gzipped RMAIL files are loaded with C-x C-f (find-file).

(Emacs 20.7 can handle the same RMAIL files with no problems.)

The crash happens when the "Automatic file de/compression" is toggled
on, and apparently only with some big files, that is, the compressed
file has a size of 7.8 MB and more. Smaller files can be loaded and
decompressed with no problems, it seems.

Emacs seems to decompress the file and then it crashes saying
"Segmentation fault".

If load the decompressed version of the RMAIL file is loaded, emacs 21
stays alive, also, if "Automatic file de/compression" ist toggled off
and the compressed file is loaded as it is.

Ulf Rehmann

Recent input:
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<menu-bar> <help-menu> <emacs-faq> <help-echo> <help-echo> 
<help-echo> <tool-bar> <Previous> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <menu-bar> <help-menu> <emacs-problems> 
<down-mouse-1> <mouse-1> <up> <up> <up> <up> <up> <up> 
<up> <up> <up> <up> <up> <up> <up> <up> <up> <up> <up> 
<up> <up> <up> <up> <up> <up> <up> <up> <up> <up> C-s 
r m a i l C-s C-s C-s C-s <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <menu-bar> <help-menu> <report-emacs-bug> 
C-g <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <menu-bar> <help-menu> <re
port-emacs-bug>

Recent messages:
unzipping efaq.gz...done
unzipping efaq-1.gz...done
Composing main Info directory...
Mark set
Composing main Info directory...done
Loading view...done
Note: file is write protected
Type C-h for help, h for commands, q to quit.
Mark saved where search started
Loading emacsbug...done
byte-code: Quit

Re: segfault crash when loading certain rmail files

[Richard Stallman]

Can you make an Rmail file which triggers this bug
available by ftp for an Emacs developer to get so he
can reproduce and debug the problem?

Re: segfault crash when loading certain rmail files

[Ulf Rehmann]

I can try to set up an rmail file like that, but it might be not so
easy. Small files seem to work well, and the big stuff I have contains
lots of confidential material which I hesitate to give away...

Re: segfault crash when loading certain rmail files

[Ulf Rehmann]

 | Can you make an Rmail file which triggers this bug
 | available by ftp for an Emacs developer to get so he
 | can reproduce and debug the problem?


I now can make my report more precise: 

I do no longer claim that the crash depends on the size of the rmail
file.

The crash happens (for emacs 21.2) if the rmail file contains a
character of decimal value 128, if the rmail file is loaded
as a gzipped file with "automatic file de/compression" toggled "on".

The crash does not happen for emacs 20.7.

Please find below an rmail file, gzipped and encoded by uuencode,
which causes the crash.

Thanks for any help, and best regards,

Ulf Rehmann



begin 644 XX.gz
M'XL(".\W"ST``UA8`(V4WV_:,!#'GVOM?^A)?0&&30RD@:RJ6DK0J$I!!:9.
M51\<?&G<)3%*0E?>]J?/`4H[^FM)B$/LN_M\[\[IG'9^7L!P-.D/+\<NT`J%
M-!8J*I[(#TPSI1,7;'(A?(PREUSJ'%T`F(0J`W/E(4*(0F(*.@"1;*P#%2';
M+NX'L-0+$"E"AJB2.U`YJ,W:ZG99\39&D:R]%BX@%!DDVKS-,G&'66&D<D8&
MQLZ%VH-(:]E<ZZA6.*JE&,8B2<C^%V)5`:7*45:K9+R(8Y$N::02$X;;]'R1
M`.3:A8W!22Q,0'-3O]C43-WP^BT<Y)CEI%*I@#<<?@?S0*[IF9:&GHZ768ZQ
M"XM$XDQ)E'21J,<5%0U2;69ZYOZ6>[..^@HC##"23"*,10X%#[>!-]QFT^46
MU"VK3KSD`2,]1_H2--(S$87:@%WA#-4#2A>*@+"=@)*A=YAE3GY;)GO^$B0*
MMDB+8+]5'@)F<3Z'DO>H8FBPA@T''$I=])5(RL9`2>#.>6<YI99E-6UE!K(7
MZ!2.7D$<?ROPJP5[(:'`?A;QU3+_=S'O%W-3E)0-7B9<T<XV(UVOR'Z;.0:_
MR9JMVY6"9W4K!:/AJ`&E`/-96-2=VJS-."^O,5]10BDS-8N0RE3/RY\B0^G,
M&T_*N^3/22S-;:M5/^WT.DRJ.<NI5,*T%DLPAYN6X6Z8G\-9W7XJ@*]U_*'D
M4HMQ8U1;#^6U2F\\F(S`E./.[G7"Y-1R'+N^4XH/.NN]XIBK_:1TX$V@^X;8
MC7MXW3RKK'[>/,ZZ>:09WL=P-CTR>6\G_ILELX_]>YSE+JQVYF#]2:!]`WWD
M[48]V7(?D]YJ1TZC`*XVNOXK?Z0KBL_29_37=-KO7KC0;G/GL-GT_4..#F_-
?I!/,?%''1EVT>(L'A)"):2SX0XIC_R]&'5ZC>`4`````
`
end

Re: segfault crash when loading certain rmail files

[Ulf Rehmann]

 | Can you make an Rmail file which triggers this bug
 | available by ftp for an Emacs developer to get so he
 | can reproduce and debug the problem?

I turned out that the crash can be triggered, for emacs 21.2, by
loading any file just containing the character (decimal) 128, if this
file is gzipped and visited by find-file and if "automatic file
de/compression" is toggled "on".

No crash with emacs 20.7.

Ulf Rehmann

Re: segfault crash when loading certain rmail files

[Kenichi Handa]

Ulf Rehmann <rehmann@mathematik.uni-bielefeld.de> writes:
> I turned out that the crash can be triggered, for emacs 21.2, by
> loading any file just containing the character (decimal) 128, if this
> file is gzipped and visited by find-file and if "automatic file
> de/compression" is toggled "on".

> No crash with emacs 20.7.

Thank you for the report.  The following change will fix the
problem.

(1) Fix Fcall_process (in callproc.c).

We have this code at line 786.

	      repeat_decoding:
		size = decoding_buffer_size (&process_coding, nread);
		decoding_buf = (char *) xmalloc (size);
		
		if (process_coding.cmp_data)
		  process_coding.cmp_data->char_offset = PT;
		
		decode_coding (&process_coding, bufptr, decoding_buf,
			       nread, size);

Before we check process_coding.cmp_data, if process_coding
requires detection (we have the macro
CODING_REQUIRED_DETECTION for checking it), we must call
detect_coding.  And, if the resulting
process_coding.composing is not COMPOSITION_DISABLED, we
must allocate a memory for handling composition data (we
have the function coding_allocate_composition_data, the
second arg must be PT).

(2) Fix detect_eol (in coding.c).

We have this code at 4316

  if (VECTORP (val) && XVECTOR (val)->size == 3)
    {
      int src_multibyte = coding->src_multibyte;
      int dst_multibyte = coding->dst_multibyte;

      setup_coding_system (XVECTOR (val)->contents[eol_type], coding);
      coding->src_multibyte = src_multibyte;
      coding->dst_multibyte = dst_multibyte;
      coding->heading_ascii = skip;
    }

The value of coding->cmp_data must be saved before calling
setup_coding_system and restored after the call.


And, we potentially have the same kind of problem in the
following places (where, decode_coding is called directly).

w16select.c:663:      decode_coding (&coding, htext, buf, truelen, bufsize);
w32fns.c:6688:  decode_coding (&coding, lplogfont->lfFaceName, fontname,
w32select.c:335:	decode_coding (&coding, src, buf, nbytes, bufsize);
xselect.c:1651:	  decode_coding (&coding, data, buf, size, bufsize);
xterm.c:10688:			    decode_coding (&coding, copy_bufptr, p,

Fortunetly, for all those case, we can simply diable
composition handling by setting the member `composing' of
`struct coding_system' to COMPOSITION_DIABLED.  For example,
in the case of xselect.c, before calling decode_coding at
the line 335, what we need is to set coding.composing to
COMPOSITION_DIABLED.

Could someone please install a fix?  I'll verify the result.

---
Ken'ichi HANDA
handa@etl.go.jp

Re: segfault crash when loading certain rmail files

[Kenichi Handa]

I finally got a permission to contribute code again for
Emacs 21!

So, I can work on the following matter by myself.  If any of
you have already started to work on it, please let me know.

---
Ken'ichi HANDA
handa@etl.go.jp

Kenichi Handa <handa@etl.go.jp> writes:

> Ulf Rehmann <rehmann@mathematik.uni-bielefeld.de> writes:
>>  I turned out that the crash can be triggered, for emacs 21.2, by
>>  loading any file just containing the character (decimal) 128, if this
>>  file is gzipped and visited by find-file and if "automatic file
>>  de/compression" is toggled "on".

>>  No crash with emacs 20.7.

> Thank you for the report.  The following change will fix the
> problem.

> (1) Fix Fcall_process (in callproc.c).

> We have this code at line 786.

> 	      repeat_decoding:
> 		size = decoding_buffer_size (&process_coding, nread);
> 		decoding_buf = (char *) xmalloc (size);
		
> 		if (process_coding.cmp_data)
process_coding.cmp_data-> char_offset = PT;
		
> 		decode_coding (&process_coding, bufptr, decoding_buf,
> 			       nread, size);

> Before we check process_coding.cmp_data, if process_coding
> requires detection (we have the macro
> CODING_REQUIRED_DETECTION for checking it), we must call
> detect_coding.  And, if the resulting
> process_coding.composing is not COMPOSITION_DISABLED, we
> must allocate a memory for handling composition data (we
> have the function coding_allocate_composition_data, the
> second arg must be PT).

> (2) Fix detect_eol (in coding.c).

> We have this code at 4316

>   if (VECTORP (val) && XVECTOR (val)->size == 3)
>     {
>       int src_multibyte = coding->src_multibyte;
>       int dst_multibyte = coding->dst_multibyte;

>       setup_coding_system (XVECTOR (val)->contents[eol_type], coding);
coding-> src_multibyte = src_multibyte;
coding-> dst_multibyte = dst_multibyte;
coding-> heading_ascii = skip;
>     }

> The value of coding->cmp_data must be saved before calling
> setup_coding_system and restored after the call.


> And, we potentially have the same kind of problem in the
> following places (where, decode_coding is called directly).

> w16select.c:663:      decode_coding (&coding, htext, buf, truelen, bufsize);
> w32fns.c:6688:  decode_coding (&coding, lplogfont->lfFaceName, fontname,
> w32select.c:335:	decode_coding (&coding, src, buf, nbytes, bufsize);
> xselect.c:1651:	  decode_coding (&coding, data, buf, size, bufsize);
> xterm.c:10688:			    decode_coding (&coding, copy_bufptr, p,

> Fortunetly, for all those case, we can simply diable
> composition handling by setting the member `composing' of
> `struct coding_system' to COMPOSITION_DIABLED.  For example,
> in the case of xselect.c, before calling decode_coding at
> the line 335, what we need is to set coding.composing to
> COMPOSITION_DIABLED.

> Could someone please install a fix?  I'll verify the result.

> ---
> Ken'ichi HANDA
> handa@etl.go.jp


> _______________________________________________
> Emacs-devel mailing list
> Emacs-devel@gnu.org
> http://mail.gnu.org/mailman/listinfo/emacs-devel

Re: segfault crash when loading certain rmail files

[Richard Stallman]

    I finally got a permission to contribute code again for
    Emacs 21!

Hooray!

Re: segfault crash when loading certain rmail files

[Kenichi Handa]

Kenichi Handa <handa@etl.go.jp> writes:
> So, I can work on the following matter by myself.  If any of
> you have already started to work on it, please let me know.

I've just installed a fix in HEAD branch.

I think this fix should also be installed in RC.  Shall I do
that?

---
Ken'ichi HANDA
handa@etl.go.jp

Re: segfault crash when loading certain rmail files

[Richard Stallman]

    I think this fix should also be installed in RC.  Shall I do
    that?

If it seems safe to you, please install it in RC.

Re: segfault crash when loading certain rmail files

[Kenichi Handa]

Richard Stallman <rms@gnu.org> writes:
>     I think this fix should also be installed in RC.  Shall I do
>     that?

> If it seems safe to you, please install it in RC.

Done.

---
Ken'ichi HANDA
handa@etl.go.jp