From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail From: Jason Gibson Newsgroups: gmane.emacs.bugs Subject: bug#40913: 24.5; Crash on open of file Date: Tue, 28 Apr 2020 10:40:39 -0700 Message-ID: <87ftcnh5k8.fsf@perforce.com> References: <87lfmghazg.fsf@perforce.com> <83d07s2ddt.fsf@gnu.org> <87imhjh7sg.fsf@perforce.com> <83v9lj1pms.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202"; logging-data="46098"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 40913-done@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 28 19:50:55 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jTUNj-000Bok-2d for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 28 Apr 2020 19:50:55 +0200 Original-Received: from localhost ([::1]:42626 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jTUNh-0005LF-VY for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 28 Apr 2020 13:50:53 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:44660) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jTUJI-0006KG-2L for bug-gnu-emacs@gnu.org; Tue, 28 Apr 2020 13:46:31 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jTUH5-0002o4-4B for bug-gnu-emacs@gnu.org; Tue, 28 Apr 2020 13:46:19 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:58067) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jTUH4-0002n9-Nb for bug-gnu-emacs@gnu.org; Tue, 28 Apr 2020 13:44:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jTUH4-0007b5-Lb for bug-gnu-emacs@gnu.org; Tue, 28 Apr 2020 13:44:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Jason Gibson Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 28 Apr 2020 17:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40913 X-GNU-PR-Package: emacs Original-Received: via spool by 40913-done@debbugs.gnu.org id=D40913.158809581529140 (code D ref 40913); Tue, 28 Apr 2020 17:44:02 +0000 Original-Received: (at 40913-done) by debbugs.gnu.org; 28 Apr 2020 17:43:35 +0000 Original-Received: from localhost ([127.0.0.1]:41376 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTUGc-0007Zw-Nd for submit@debbugs.gnu.org; Tue, 28 Apr 2020 13:43:35 -0400 Original-Received: from mail-bn8nam12on2120.outbound.protection.outlook.com ([40.107.237.120]:21984 helo=NAM12-BN8-obe.outbound.protection.outlook.com) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTUDv-0007UY-Tk for 40913-done@debbugs.gnu.org; Tue, 28 Apr 2020 13:40:48 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LH/K0OMeK48EgSZc7UMhEQYKs+HaxXHwTxqYdHbr0ws7/cBVmz4t0Jknw+M1iaahzFJjj1QdGT93C5+9WQqDpKlok2MTby9NKjoHQSigk7NythesKpGvt2w7YXyqgxcGJXWjShuBuUEPxGrLF6Oc6UHKXA36Jk7D+S4TKnptDOPOdFSpzVJng0dVbn4Svk872eOubqjqrNtTnrWn6DnDrFrY+vvlseKbxuydqHx6DUKMbIjnlmJB0B7gcFX14yXTwlcjW3RpLkj+eBkVKxif15eKR0OiIuk5tVoFCcDAgiaWM5SghKL9Ki3IowmW/ztLivqTvu9yQQeeZMFLmcZ2wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ID7IUuhQhUlQoKrZ1UImuxyP05ghXT8KWYE+g3yJkYg=; b=T6+kT5oF6ZHXCibPgWWdZrxCRgmcV3cczbCOA+PhHPcBzbhVnXUs6NU6h9uxYRHWHNuXAQSzvj6YxgjFi0qBDmgOXVyIpAIG6sH3mpJijfdc1f/D5XRGtSBhknELI2Lf34rRE1EpWS6nNbFQcyr7nuwTM7e/kWAj+gvxduyBT8C0dfT/XWHYCzCUwHvIftW5AXgMl2G3cDeXnGYCfEd0UW9dwm0aeWoAgxJB16zT4OwhXzC8+ijCkvK0Vvb4TgUi9IYmv3JDG1wFd/qTox2aE/1FxuSI10T33DJabWyu5Prh4E95o8wYLfFYTL42DNfTqzj+7UVQ/SK03dX6jF/TNg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=perforce.com; dmarc=pass action=none header.from=perforce.com; dkim=pass header.d=perforce.com; arc=none Authentication-Results: debbugs.gnu.org; dkim=none (message not signed) header.d=none;debbugs.gnu.org; dmarc=none action=none header.from=perforce.com; Original-Received: from MW3PR20MB3433.namprd20.prod.outlook.com (2603:10b6:303:5e::19) by MW3PR20MB3388.namprd20.prod.outlook.com (2603:10b6:303:54::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Tue, 28 Apr 2020 17:40:41 +0000 Original-Received: from MW3PR20MB3433.namprd20.prod.outlook.com ([fe80::d5a1:f399:83ed:e206]) by MW3PR20MB3433.namprd20.prod.outlook.com ([fe80::d5a1:f399:83ed:e206%6]) with mapi id 15.20.2937.023; Tue, 28 Apr 2020 17:40:41 +0000 In-Reply-To: <83v9lj1pms.fsf@gnu.org> X-ClientProxiedBy: BYAPR05CA0056.namprd05.prod.outlook.com (2603:10b6:a03:74::33) To MW3PR20MB3433.namprd20.prod.outlook.com (2603:10b6:303:5e::19) X-MS-Exchange-MessageSentRepresentingType: 1 Original-Received: from jgibson-t7600-linux (12.234.39.240) by BYAPR05CA0056.namprd05.prod.outlook.com (2603:10b6:a03:74::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.9 via Frontend Transport; Tue, 28 Apr 2020 17:40:40 +0000 X-Originating-IP: [12.234.39.240] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1889ebad-8f7e-41d6-e1e6-08d7eb9b452d X-MS-TrafficTypeDiagnostic: MW3PR20MB3388: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-Forefront-PRVS: 0387D64A71 X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR20MB3433.namprd20.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(39860400002)(346002)(366004)(376002)(396003)(136003)(478600001)(956004)(6486002)(2616005)(316002)(8676002)(66476007)(66556008)(5660300002)(66946007)(6916009)(26005)(8936002)(186003)(2906002)(6496006)(52116002)(86362001)(4326008)(36756003)(16526019); DIR:OUT; SFP:1102; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: wcJm4Mr+s3OSI7vFS2sK/XnzSG0uo1wdyBDF6uPWFzDgnf3o+WebK1bxxkKU1eXcdAcYvMgwmgTOn1s3oRA29MpxmAA8PZDT/BV6+jySbBgPKMKnFOU96eo2EyYhj3vUrjobsrf4o5xsH8N9Pa09N3hM0cDkQxLWHvT6cMuON7vS0NDIvGtjTvEXQiOdKLRFbyUA3lU7iTvKUBf4eEpGbvUUIM3qwxiq70749266yHOoSfLpIAbaOQpOzvZ+i1kZJLndr9o/hQ6/SGA9FulECt0iKMJsvbskI6eg83z29OzbY1OI1khky1zSiGGs5ZC7Il4hGDLyxiwsP7e4zksmjyEsLt98t6gh/QKlrGxlq+je1qcylG960hVe66HiU0qIE9tZGw8aUp3OrWMDqk09wVXcz1csjN7+Pxj9GNFFiZkIR1CsfVtl7+HDTGE56I60 X-MS-Exchange-AntiSpam-MessageData: /plCsNM/eVKf9WTRZRNYpr0RcRZ/DS/Cbk9albce8gmiSZuM/aIzzC+A77DAsrDJUTiGLXuspj4txy8KssXgvqOZ1PMRbbrHO+HsD0il8Ex6jV8+zg5V6b4+3o1agxq6wtmBPbpFnq4PxpB21FdNgCVBzw+2X3923Rnubgb53q6cZXVs2dabf+eUfmiB3S2xxL543P+QhygYd61X1wN2UtytBveTs/eyGckMo6Moy9iU72BH+T+BeQWQoENrmQgXgAyy2+f236NwX4/N58yNf6iw4mJtDL8rhvKAuKUCXy8RlrqV5MZDuueuXv7GkNzc1CNWh1/bPhtt8AdabB+p6AzxIXQ+jrUetcxruaEuIRxTolMcaImaj0lwdzWA6QSs72azpQ4xr5iRq8ZcnKkB4Hq6oEQjahKU1T9Dz3jxBg167MQ56k0NFJqSmaLDs65dJ+A/EyF+2tIkSJ3FgC8gch8chQ38qB7qUU/PF1VWrkaQR5cMkrdIsZQMjoXWWb3gJR8vrYdF91jZPWPNh1OyYcGZQQZIbdxhxYfOSNhz+nEzLibWmYa2XRBwkykeGwypPATtLjY0Kzjz0PdDYD6tS2VmR2zRCH/vGCOEf2eRhDFtmoCjbTwBeoiCqSSixCD+bgy7VddTTh+i5MPfGTVv8nqj40SZ9vTVaAL0Fm4DL34nZV7i9uwxZPxgr1aqkmllkTN4qqS8Ie9GMrIHnVvDyc3q7MLXEJ3rgbBCCmi/Nmzo3J6ymx6+PvSfWXcR YJromhLxcGtwmRhj+kaqCHYg+GB/6v8PW0wq+WnPusaGkzw= X-OriginatorOrg: perforce.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1889ebad-8f7e-41d6-e1e6-08d7eb9b452d X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2020 17:40:41.1383 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 95b666d1-9a75-49ab-95a3-8969fbcdc08c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: nWsNS+N41KH68Oj416PXtySu2aC7qOTBfk5eWDwqkYk8SKJFh8ih5goUj9Bu/oVDdgIPgaBo5rDqtF4KoqCBfg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR20MB3388 X-Mailman-Approved-At: Tue, 28 Apr 2020 13:43:33 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:179235 Archived-At: >> Since this would seem to be a good vector for remote buffer overflow, it >> might make sense to backport this to prior releases. > > There's no practical way for us to do so, since we do not intend to > put out any new releases of Emacs before 27. Emacs 27.1 will be > released soon, and this problem will be fixed there. > > It is also worth noting that the use case where this bug can rear its > ugly head is quite rare. Most sequences of composed characters are > very short, and the way we allocate the buffers for them always > allocates more than strictly needed, which is why this bug, although > blatant, went unnoticed for a very long time. You just happened to > hit a file which (being in fact just a stream of binary bytes) looked > to Emacs as a long sequence of characters all of which should be > composed, and that sequence overflowed the allocated buffer by many > hundreds of bytes, thus triggering memory corruption. Sounds good, thanks for the explanations. This e-mail may contain information that is privileged or confidential. If = you are not the intended recipient, please delete the e-mail and any attach= ments and notify us immediately.