From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#9496: 24.0.50; Segfault on TAB-only composition Date: Fri, 03 Feb 2012 11:28:29 -0800 Organization: UCLA Computer Science Department Message-ID: <4F2C355D.6020302@cs.ucla.edu> References: <8739g0tcp5.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: dough.gmane.org 1328297379 13381 80.91.229.3 (3 Feb 2012 19:29:39 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Fri, 3 Feb 2012 19:29:39 +0000 (UTC) To: 9496@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Feb 03 20:29:38 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RtOpD-0005gK-9H for geb-bug-gnu-emacs@m.gmane.org; Fri, 03 Feb 2012 20:29:35 +0100 Original-Received: from localhost ([::1]:41746 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RtOpC-0002QP-Oj for geb-bug-gnu-emacs@m.gmane.org; Fri, 03 Feb 2012 14:29:34 -0500 Original-Received: from eggs.gnu.org ([140.186.70.92]:55012) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RtOp9-0002Ng-In for bug-gnu-emacs@gnu.org; Fri, 03 Feb 2012 14:29:32 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RtOp7-0003nH-6I for bug-gnu-emacs@gnu.org; Fri, 03 Feb 2012 14:29:31 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:49069) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RtOp7-0003nD-3R for bug-gnu-emacs@gnu.org; Fri, 03 Feb 2012 14:29:29 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1RtOpf-0001W1-26 for bug-gnu-emacs@gnu.org; Fri, 03 Feb 2012 14:30:03 -0500 X-Loop: help-debbugs@gnu.org In-Reply-To: <8739g0tcp5.fsf@gnu.org> Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 03 Feb 2012 19:30:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 9496 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 9496-submit@debbugs.gnu.org id=B9496.13282973595741 (code B ref 9496); Fri, 03 Feb 2012 19:30:03 +0000 Original-Received: (at 9496) by debbugs.gnu.org; 3 Feb 2012 19:29:19 +0000 Original-Received: from localhost ([127.0.0.1]:52691 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1RtOow-0001UW-4j for submit@debbugs.gnu.org; Fri, 03 Feb 2012 14:29:18 -0500 Original-Received: from smtp.cs.ucla.edu ([131.179.128.62]:55287) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1RtOot-0001Ty-AR for 9496@debbugs.gnu.org; Fri, 03 Feb 2012 14:29:16 -0500 Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 44B1339E8007 for <9496@debbugs.gnu.org>; Fri, 3 Feb 2012 11:28:35 -0800 (PST) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Original-Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F62jNcw16UGJ for <9496@debbugs.gnu.org>; Fri, 3 Feb 2012 11:28:34 -0800 (PST) Original-Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id C7187A60002 for <9496@debbugs.gnu.org>; Fri, 3 Feb 2012 11:28:34 -0800 (PST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:56444 Archived-At: When a fix for this was merged into the trunk I noticed a problem from the trunk's point of view: the fix introduced the possibility of an unchecked integer overflow which would cause character widths to go negative and could cause real problems later. I installed this further fix to the trunk: Handle overflow when computing char display width (Bug#9496). * character.c (char_width): Return EMACS_INT, not int. (char_width, c_string_width): Check for overflow when computing the width; this is possible now that individual characters can have unbounded width. Problem introduced by merge from Emacs 23 on 2012-01-19. === modified file 'src/character.c' --- src/character.c 2012-01-19 07:21:25 +0000 +++ src/character.c 2012-02-03 19:19:42 +0000 @@ -311,10 +311,10 @@ /* Return width (columns) of C considering the buffer display table DP. */ -static int +static EMACS_INT char_width (int c, struct Lisp_Char_Table *dp) { - int width = CHAR_WIDTH (c); + EMACS_INT width = CHAR_WIDTH (c); if (dp) { @@ -326,7 +326,12 @@ { ch = AREF (disp, i); if (CHARACTERP (ch)) - width += CHAR_WIDTH (XFASTINT (ch)); + { + int w = CHAR_WIDTH (XFASTINT (ch)); + if (INT_ADD_OVERFLOW (width, w)) + string_overflow (); + width += w; + } } } return width; @@ -340,7 +345,8 @@ usage: (char-width CHAR) */) (Lisp_Object ch) { - int c, width; + int c; + EMACS_INT width; CHECK_CHARACTER (ch); c = XINT (ch); @@ -367,10 +373,14 @@ { int bytes; int c = STRING_CHAR_AND_LENGTH (str + i_byte, bytes); - int thiswidth = char_width (c, dp); + EMACS_INT thiswidth = char_width (c, dp); - if (precision > 0 - && (width + thiswidth > precision)) + if (precision <= 0) + { + if (INT_ADD_OVERFLOW (width, thiswidth)) + string_overflow (); + } + else if (precision - width < thiswidth) { *nchars = i; *nbytes = i_byte;