From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#43499: 27.1;
 It is possible for (forward-comment -1) to crash emacs
Date: Sat, 19 Sep 2020 12:08:51 +0300
Message-ID: <83pn6i2kws.fsf@gnu.org>
References: <fdpn6i5zhu.fsf@norden.tntech.edu>
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="21065"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: 43499@debbugs.gnu.org
To: Jeff Norden <jnorden@tntech.edu>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Sep 19 11:09:12 2020
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1kJYro-0005Mv-0i
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 19 Sep 2020 11:09:12 +0200
Original-Received: from localhost ([::1]:41846 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1kJYrn-00021r-2V
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 19 Sep 2020 05:09:11 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:39786)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kJYre-00021C-Lu
 for bug-gnu-emacs@gnu.org; Sat, 19 Sep 2020 05:09:03 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:34093)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kJYre-0001Uv-CY
 for bug-gnu-emacs@gnu.org; Sat, 19 Sep 2020 05:09:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kJYre-0003X5-80
 for bug-gnu-emacs@gnu.org; Sat, 19 Sep 2020 05:09:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Eli Zaretskii <eliz@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 19 Sep 2020 09:09:02 +0000
Resent-Message-ID: <handler.43499.B43499.160050652513550@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 43499
X-GNU-PR-Package: emacs
Original-Received: via spool by 43499-submit@debbugs.gnu.org id=B43499.160050652513550
 (code B ref 43499); Sat, 19 Sep 2020 09:09:02 +0000
Original-Received: (at 43499) by debbugs.gnu.org; 19 Sep 2020 09:08:45 +0000
Original-Received: from localhost ([127.0.0.1]:45639 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kJYrN-0003WT-4z
 for submit@debbugs.gnu.org; Sat, 19 Sep 2020 05:08:45 -0400
Original-Received: from eggs.gnu.org ([209.51.188.92]:32948)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1kJYrL-0003WE-KI
 for 43499@debbugs.gnu.org; Sat, 19 Sep 2020 05:08:43 -0400
Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:41941)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eliz@gnu.org>)
 id 1kJYrE-0001UG-CJ; Sat, 19 Sep 2020 05:08:36 -0400
Original-Received: from [176.228.60.248] (port=4651 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@gnu.org>)
 id 1kJYrD-0003p8-I8; Sat, 19 Sep 2020 05:08:36 -0400
In-Reply-To: <fdpn6i5zhu.fsf@norden.tntech.edu> (message from Jeff Norden on
 Fri, 18 Sep 2020 20:25:33 -0500)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:188371
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/188371>

> From: Jeff Norden <jnorden@tntech.edu>
> Date: Fri, 18 Sep 2020 20:25:33 -0500
> 
> In an unusual circumstance, (forward-comment -1) can move the point before the
> accessible buffer text.  This can even result in the point becoming negative.
> In the worst-case scenario, emacs becomes completely unresponsive, and it
> might even be necessary to reboot the computer.

Thanks.  In my case, I get a segfault in DEC_BOTH (because it attempts
to dereference a pointer outside of buffer text).

> The loop should, I think, be changed to the following.  The only change is how
> from and stop are compared.
> 
>               while (from > stop)
>                 {
>                   DEC_BOTH (from, from_byte);
>                   UPDATE_SYNTAX_TABLE_BACKWARD (from);
>                   c = FETCH_CHAR_AS_MULTIBYTE (from_byte);
>                   if (SYNTAX (c) == Scomment_fence
>                       && !char_quoted (from, from_byte))
>                     {
>                       fence_found = 1;
>                       break;
>                     }
>                   rarely_quit (++quit_count);
>                 }

Thanks.  I propose a slightly different change below.  I think it's
somewhat better, because it does the comparison only once, and the
while loop can then run at full speed without testing on each
iteration.  (It looks like a large change, but almost all of it is
just whitespace changes due to re-indentation of the loop.)  Do you
agree?

diff --git a/src/syntax.c b/src/syntax.c
index a79ab86..e8b32f5 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -2545,20 +2545,23 @@ DEFUN ("forward-comment", Fforward_comment, Sforward_comment, 1, 1, 0,
 	      bool fence_found = 0;
 	      ptrdiff_t ini = from, ini_byte = from_byte;
 
-	      while (1)
+	      if (from > stop)
 		{
-		  DEC_BOTH (from, from_byte);
-		  UPDATE_SYNTAX_TABLE_BACKWARD (from);
-		  c = FETCH_CHAR_AS_MULTIBYTE (from_byte);
-		  if (SYNTAX (c) == Scomment_fence
-		      && !char_quoted (from, from_byte))
+		  while (1)
 		    {
-		      fence_found = 1;
-		      break;
+		      DEC_BOTH (from, from_byte);
+		      UPDATE_SYNTAX_TABLE_BACKWARD (from);
+		      c = FETCH_CHAR_AS_MULTIBYTE (from_byte);
+		      if (SYNTAX (c) == Scomment_fence
+			  && !char_quoted (from, from_byte))
+			{
+			  fence_found = 1;
+			  break;
+			}
+		      else if (from == stop)
+			break;
+		      rarely_quit (++quit_count);
 		    }
-		  else if (from == stop)
-		    break;
-		  rarely_quit (++quit_count);
 		}
 	      if (fence_found == 0)
 		{