From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Tino Calancha Newsgroups: gmane.emacs.bugs Subject: bug#35576: 27.0.50; Emacs crash when reads an integer with radix > 36 Date: Sun, 05 May 2019 20:37:08 +0900 Message-ID: <87d0kxw2sb.fsf@calancha-pc.dy.bbexcite.jp> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="178170"; mail-complaints-to="usenet@blaine.gmane.org" To: 35576@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun May 05 13:38:12 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1hNFT9-000kEw-St for geb-bug-gnu-emacs@m.gmane.org; Sun, 05 May 2019 13:38:12 +0200 Original-Received: from localhost ([127.0.0.1]:39745 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hNFT8-00060i-NV for geb-bug-gnu-emacs@m.gmane.org; Sun, 05 May 2019 07:38:10 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:59420) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hNFT1-00060U-Tx for bug-gnu-emacs@gnu.org; Sun, 05 May 2019 07:38:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hNFT0-0006D1-Lu for bug-gnu-emacs@gnu.org; Sun, 05 May 2019 07:38:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:39585) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hNFT0-0006Cp-IG for bug-gnu-emacs@gnu.org; Sun, 05 May 2019 07:38:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hNFT0-0007nF-FJ for bug-gnu-emacs@gnu.org; Sun, 05 May 2019 07:38:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Tino Calancha Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 05 May 2019 11:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 35576 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.155705624629913 (code B ref -1); Sun, 05 May 2019 11:38:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 5 May 2019 11:37:26 +0000 Original-Received: from localhost ([127.0.0.1]:53129 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hNFSQ-0007mO-96 for submit@debbugs.gnu.org; Sun, 05 May 2019 07:37:26 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:44927) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hNFSO-0007m0-Ks for submit@debbugs.gnu.org; Sun, 05 May 2019 07:37:24 -0400 Original-Received: from lists.gnu.org ([209.51.188.17]:37402) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hNFSJ-0005nx-BF for submit@debbugs.gnu.org; Sun, 05 May 2019 07:37:19 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:59305) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hNFSI-0005wA-An for bug-gnu-emacs@gnu.org; Sun, 05 May 2019 07:37:19 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hNFSG-0005mT-LT for bug-gnu-emacs@gnu.org; Sun, 05 May 2019 07:37:18 -0400 Original-Received: from mail-wr1-x430.google.com ([2a00:1450:4864:20::430]:42306) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hNFSG-0005lh-F3 for bug-gnu-emacs@gnu.org; Sun, 05 May 2019 07:37:16 -0400 Original-Received: by mail-wr1-x430.google.com with SMTP id l2so13568531wrb.9 for ; Sun, 05 May 2019 04:37:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version; bh=NwgJDmFr2G9PLVAnU3FnmvbV1qoE/i2S/C+9wuYsEHU=; b=YdBbuxars3MsfSelJCgPael8lGpACJIpd6jpx6Djgm2bvH+m3qUmBMXHEzQYL/cNRB tMPsMi5PxYJxGmK3oP92SbwaYevYhiF87FQW/TQu2jsDADiB3+Xl6HJRBE4zLHv8cH2e +kYRxl/2xhaiKw8KHw59qlVJ5h/xtZSX88KzUlywGKUBtS7Fn3MJD2DgIdBMRfBZ37qJ 3O4dgUK9nffuQm8hlX160lSpN3CqalIQrev3UUnpTKGUqSMrlmuUyKK0YTlKyGlk5f7W EXl19XIFewJkk1vz3X+oVhFn0/3tjyFPgDsIg0rNzZKlCntpLcJ19NXm7F72D0QsZyBd TNdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=NwgJDmFr2G9PLVAnU3FnmvbV1qoE/i2S/C+9wuYsEHU=; b=H2HnyKQ7BWoDRbl77V5oG64irtqtlaWVddspLazxp9JKuniFNr85A3Nwypw/nwWKK4 vwa1JfCUsYa79xbsk09mkm7Ef5ZvphSaEmSNO7I2Z+uYeJVAZJu5cjUrwLdQ09gYfGH1 hpeuIBSPZNOGXboMcG9+Pe2fQOQwnRHESOXRBgNDUis/anYtcwXYm0qZsnhGx0b30soL v1fcHOzzkuuzY5GgfBopFH7xhOBSlkIQ6Z4yjO19EZ8Mvax5mI7KEKBIH/Gbz7i/0Y35 TsOtA0YpIXOxXCjloHKPh5lRSjbkxDDYmlgeFiFo37k9XPnfwqj274jsFUEvrY1sL17K C1og== X-Gm-Message-State: APjAAAVaBY8MWJUavJ3jScSDwiTwf8GSNdXMFDPvvTv40/xRe7oJlu3G RaYu7jeiwfN103Ga1ZJAm8d3OV7xaAA= X-Google-Smtp-Source: APXvYqzbac4GrFuFf4/6MS4bUmYctx2fuTH8jFiVejyRpTZSLmaErfOy0PW5HwVE1bk+nBaS6Pof0A== X-Received: by 2002:a5d:4403:: with SMTP id z3mr14850183wrq.186.1557056234326; Sun, 05 May 2019 04:37:14 -0700 (PDT) Original-Received: from calancha-pc.dy.bbexcite.jp ([2a02:8308:703c:300:a925:e08:4b0c:f265]) by smtp.gmail.com with ESMTPSA id o16sm9522084wro.63.2019.05.05.04.37.12 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 05 May 2019 04:37:13 -0700 (PDT) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:158784 Archived-At: emacs -Q: ;; Emacs crash when you eval the following form M-: #37r1 ;; Expected: you get the error: ;; Invalid read syntax: "integer, radix 37" In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.22.11) of 2019-05-05 Windowing system distributor 'The X.Org Foundation', version 11.0.11902000 System Description: Debian GNU/Linux 9 (stretch) --8<-----------------------------cut here---------------start------------->8--- commit c5ffba787a10f80d17a0ebc7fc7e1fb0f754843d Author: Tino Calancha Date: Sun May 5 20:24:03 2019 +0900 src/lread.c (read_integer): Prevent from accessing a null buffer diff --git a/src/lread.c b/src/lread.c index 1c97805ca7..810e24d614 100644 --- a/src/lread.c +++ b/src/lread.c @@ -2660,19 +2660,17 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix) Also, room for invalid syntax diagnostic. */ size_t len = max (1 + 1 + UINTMAX_WIDTH + 1, sizeof "integer, radix " + INT_STRLEN_BOUND (EMACS_INT)); - char *buf = NULL; + char *buf = xmalloc (len); char *p = buf; int valid = -1; /* 1 if valid, 0 if not, -1 if incomplete. */ ptrdiff_t count = SPECPDL_INDEX (); - if (radix < 2 || radix > 36) valid = 0; else { int c, digit; - buf = xmalloc (len); record_unwind_protect_ptr (free_contents, &buf); p = buf; @@ -2718,8 +2716,10 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix) if (valid != 1) { - sprintf (buf, "integer, radix %"pI"d", radix); - invalid_syntax (buf); + xfree (buf); + char str[len]; + sprintf (str, "integer, radix %"pI"d", radix); + invalid_syntax (str); } *p = '\0'; --8<-----------------------------cut here---------------end--------------->8---