From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Ami Fischman" Newsgroups: gmane.emacs.devel Subject: PATCH: fix for memory corruption and eventual crash in print.c Date: Sat, 5 Jul 2008 21:11:14 -0700 Message-ID: NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_15882_13962014.1215317474567" X-Trace: ger.gmane.org 1215326275 12045 80.91.229.12 (6 Jul 2008 06:37:55 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 6 Jul 2008 06:37:55 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jul 06 08:38:41 2008 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1KFNtR-00088b-4j for ged-emacs-devel@m.gmane.org; Sun, 06 Jul 2008 08:38:41 +0200 Original-Received: from localhost ([127.0.0.1]:51207 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1KFNsa-0007IR-AT for ged-emacs-devel@m.gmane.org; Sun, 06 Jul 2008 02:37:48 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1KFLap-0001Qy-71 for emacs-devel@gnu.org; Sun, 06 Jul 2008 00:11:19 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1KFLao-0001QI-C4 for emacs-devel@gnu.org; Sun, 06 Jul 2008 00:11:18 -0400 Original-Received: from [199.232.76.173] (port=47982 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1KFLao-0001Q0-3E for emacs-devel@gnu.org; Sun, 06 Jul 2008 00:11:18 -0400 Original-Received: from rv-out-0708.google.com ([209.85.198.243]:35397) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1KFLan-0001Do-Ky for emacs-devel@gnu.org; Sun, 06 Jul 2008 00:11:18 -0400 Original-Received: by rv-out-0708.google.com with SMTP id k29so2141255rvb.6 for ; Sat, 05 Jul 2008 21:11:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:x-google-sender-auth; bh=tOOJXNbKN7iydgq0VdZlsg3GgI/j1zEkTid44kV/2/c=; b=MFSguf2HR0YWYBvXqIsiFzkkzPXXUKnfqVpPZYT9DkLIKRYpzpqDi9NEnbIsYCB5+R /6AgPgE/uPC3NkJ8UIdlhdy7q6u+YB7T00JGF2pQHDbCxQ8oN86PsC8Mk415r9SuFyEf lJiAdpi7RKz4cz9t76qLuRJJ8zq7eDDA85yuU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :x-google-sender-auth; b=eHD5B1uP2Vi3lQI2NwHoTrgpoKoq3L2T8obYi5YzOAuVCpD04qM0EGR2Zg69NxivwR CbJcFOeIGfjJzq3eOyde2/CPc3KMzmGmIRvYLBYPPM5UwT212iSOKSdqn/+5xCFHluNR zgUwQc7mWLzQkrtTWn0h2EfYV1UtWwP70Zho8= Original-Received: by 10.140.164.6 with SMTP id m6mr1379823rve.208.1215317474591; Sat, 05 Jul 2008 21:11:14 -0700 (PDT) Original-Received: by 10.140.185.2 with HTTP; Sat, 5 Jul 2008 21:11:14 -0700 (PDT) X-Google-Sender-Auth: 4c23aba61e271ef1 X-detected-kernel: by monty-python.gnu.org: Linux 2.6 (newer, 2) X-Mailman-Approved-At: Sun, 06 Jul 2008 02:37:44 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:100381 Archived-At: ------=_Part_15882_13962014.1215317474567 Content-Type: multipart/alternative; boundary="----=_Part_15883_30629925.1215317474567" ------=_Part_15883_30629925.1215317474567 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline src/print.c:print_object() has this code: 1570 if (NILP (Vprint_circle) && NILP (Vprint_gensym)) [...] 1581 being_printed[print_depth] = obj; [...] 1611 print_depth++; 1612 1613 /* See similar code in print_preprocess. */ 1614 if (print_depth > PRINT_CIRCLE) 1615 error ("Apparently circular structure being printed"); Note that being_printed[print_depth] is assigned to /before/ print_depth is checked for exceeding PRINT_CIRCLE (the declared size of being_printed). Here's a snippet of elisp that exhibits the bug: (let ((print-circle nil) (i 0)) (require 'cl) (setq x '(a b)) (while (< i 200) (incf i) (setq x `(,x))) (prin1-to-string x)) This errors with "Apparently circular structure being printed". So far so good. Now evaling: (prin1-to-string "hello") errors with "Lisp nesting exceeds `max-lisp-eval-depth`" even though it should be an easy thing to print! Groveling with gdb shows that Vprin1_to_string_buffer gets overwritten during the deep prin1 because of the bug above and instead of pointing at the " prin1" buffer it has a value that pp's as a long chain of "[[[[[["'s and errors out before completing the pretty-print. Moving the guard check on print_depth above the assignment (and changing > to >= because it's now above the print_depth++) makes the first elisp snippet innocuous - eval'ing it still errors out about the apparently circular structure, but subsequent prin1-to-string's work just fine. Patch attached. FWIW, I discovered the bug because using emacs-jabber was making my emacs sessions unstable (at some point random standard elisp functions would start failing). It turned out that one of its variables (jabber-connections) has a deeply-enough nested component that this bug is triggered if it is prin1'd. Cheers, -a ------=_Part_15883_30629925.1215317474567 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline src/print.c:print_object() has this code:

   1570       if (NILP (Vprint_circle) && NILP (Vprint_gensym))
[...]
   1581           being_printed[print_depth] = obj;
[...]
   1611   print_depth++;
   1612
   1613   /* See similar code in print_preprocess.  */
   1614   if (print_depth > PRINT_CIRCLE)
   1615     error ("Apparently circular structure being printed");

Note that being_printed[print_depth] is assigned to /before/ print_depth is checked for exceeding PRINT_CIRCLE (the declared size of being_printed).  Here's a snippet of elisp that exhibits the bug:

(let ((print-circle nil)
      (i 0))
  (require 'cl)
  (setq x '(a b))
  (while (< i 200)
    (incf i)
    (setq x `(,x)))
  (prin1-to-string x))

This errors with "Apparently circular structure being printed".  So far so good.  Now evaling:
(prin1-to-string "hello")
errors with "Lisp nesting exceeds `max-lisp-eval-depth`" even though it should be an easy thing to print!

Groveling with gdb shows that Vprin1_to_string_buffer gets overwritten during the deep prin1 because of the bug above and instead of pointing at the " prin1" buffer it has a value that pp's as a long chain of "[[[[[["'s and errors out before completing the pretty-print.

Moving the guard check on print_depth above the assignment (and changing > to >= because it's now above the print_depth++) makes the first elisp snippet innocuous - eval'ing it still errors out about the apparently circular structure, but subsequent prin1-to-string's work just fine.

Patch attached.

FWIW, I discovered the bug because using emacs-jabber was making my emacs sessions unstable (at some point random standard elisp functions would start failing).  It turned out that one of its variables (jabber-connections) has a deeply-enough nested component that this bug is triggered if it is prin1'd.

Cheers,
-a
 ------=_Part_15883_30629925.1215317474567-- ------=_Part_15882_13962014.1215317474567 Content-Type: text/x-patch; name=prin1.patch Content-Transfer-Encoding: base64 X-Attachment-Id: f_fib4fqo50 Content-Disposition: attachment; filename=prin1.patch ZGlmZiAtLWdpdCBhL3NyYy9wcmludC5jIGIvc3JjL3ByaW50LmMKaW5kZXggOGZhYzI2Ni4uYjlk MmUxMiAxMDA2NDQKLS0tIGEvc3JjL3ByaW50LmMKKysrIGIvc3JjL3ByaW50LmMKQEAgLTE1NjAs NiArMTU2MCwxMCBAQCBwcmludF9vYmplY3QgKG9iaiwgcHJpbnRjaGFyZnVuLCBlc2NhcGVmbGFn KQogCiAgIFFVSVQ7CiAKKyAgLyogU2VlIHNpbWlsYXIgY29kZSBpbiBwcmludF9wcmVwcm9jZXNz LiAgKi8KKyAgaWYgKHByaW50X2RlcHRoID49IFBSSU5UX0NJUkNMRSkKKyAgICBlcnJvciAoIkFw cGFyZW50bHkgY2lyY3VsYXIgc3RydWN0dXJlIGJlaW5nIHByaW50ZWQiKTsKKwogICAvKiBEZXRl Y3QgY2lyY3VsYXJpdGllcyBhbmQgdHJ1bmNhdGUgdGhlbS4gICovCiAgIGlmIChTVFJJTkdQIChv YmopIHx8IENPTlNQIChvYmopIHx8IFZFQ1RPUlAgKG9iaikKICAgICAgIHx8IENPTVBJTEVEUCAo b2JqKSB8fCBDSEFSX1RBQkxFX1AgKG9iaikgfHwgU1VCX0NIQVJfVEFCTEVfUCAob2JqKQpAQCAt MTYxMCw5ICsxNjE0LDYgQEAgcHJpbnRfb2JqZWN0IChvYmosIHByaW50Y2hhcmZ1biwgZXNjYXBl ZmxhZykKIAogICBwcmludF9kZXB0aCsrOwogCi0gIC8qIFNlZSBzaW1pbGFyIGNvZGUgaW4gcHJp bnRfcHJlcHJvY2Vzcy4gICovCi0gIGlmIChwcmludF9kZXB0aCA+IFBSSU5UX0NJUkNMRSkKLSAg ICBlcnJvciAoIkFwcGFyZW50bHkgY2lyY3VsYXIgc3RydWN0dXJlIGJlaW5nIHByaW50ZWQiKTsK ICNpZmRlZiBNQVhfUFJJTlRfQ0hBUlMKICAgaWYgKG1heF9wcmludCAmJiBwcmludF9jaGFycyA+ IG1heF9wcmludCkKICAgICB7Cg== ------=_Part_15882_13962014.1215317474567--