From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.bugs Subject: bug#6149: 24.0.50; shell buffer overflow when input longer than 4096 bytes Date: Mon, 31 May 2010 21:50:37 -0400 Message-ID: References: <87aas81jgh.fsf@jidanni.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: dough.gmane.org 1275357478 541 80.91.229.12 (1 Jun 2010 01:57:58 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Tue, 1 Jun 2010 01:57:58 +0000 (UTC) Cc: 6149@debbugs.gnu.org To: jidanni@jidanni.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jun 01 03:57:56 2010 connect(): No such file or directory Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1OJGjm-0002Kw-7E for geb-bug-gnu-emacs@m.gmane.org; Tue, 01 Jun 2010 03:57:50 +0200 Original-Received: from localhost ([127.0.0.1]:47429 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OJGjl-0001GX-Ob for geb-bug-gnu-emacs@m.gmane.org; Mon, 31 May 2010 21:57:49 -0400 Original-Received: from [140.186.70.92] (port=59370 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OJGje-0001D0-9Y for bug-gnu-emacs@gnu.org; Mon, 31 May 2010 21:57:43 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OJGjc-00068p-SB for bug-gnu-emacs@gnu.org; Mon, 31 May 2010 21:57:42 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:55238) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OJGjc-00068h-Qi for bug-gnu-emacs@gnu.org; Mon, 31 May 2010 21:57:40 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1OJGdC-0001jT-JQ; Mon, 31 May 2010 21:51:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 01 Jun 2010 01:51:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 6149 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: moreinfo unreproducible Original-Received: via spool by 6149-submit@debbugs.gnu.org id=B6149.12753570406650 (code B ref 6149); Tue, 01 Jun 2010 01:51:02 +0000 Original-Received: (at 6149) by debbugs.gnu.org; 1 Jun 2010 01:50:40 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OJGcq-0001jD-I0 for submit@debbugs.gnu.org; Mon, 31 May 2010 21:50:40 -0400 Original-Received: from ironport2-out.teksavvy.com ([206.248.154.183] helo=ironport2-out.pppoe.ca) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OJGco-0001j6-Vl for 6149@debbugs.gnu.org; Mon, 31 May 2010 21:50:39 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AlUFAGIEBExMCpdY/2dsb2JhbACSJIwHcr8BhRYEjEw X-IronPort-AV: E=Sophos;i="4.53,337,1272859200"; d="scan'208";a="66559480" Original-Received: from 76-10-151-88.dsl.teksavvy.com (HELO pastel.home) ([76.10.151.88]) by ironport2-out.pppoe.ca with ESMTP; 31 May 2010 21:50:37 -0400 Original-Received: by pastel.home (Postfix, from userid 20848) id 3B98681F8; Mon, 31 May 2010 21:50:37 -0400 (EDT) In-Reply-To: <87aas81jgh.fsf@jidanni.org> (jidanni@jidanni.org's message of "Mon, 10 May 2010 12:14:54 +0800") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Mon, 31 May 2010 21:51:02 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:37468 Archived-At: >>>>> "jidanni" == jidanni writes: > This is a serious bug in M-x shell. It is not a bash or dash bug. It is > not a readline bug. It does not happen in xterm. It does not happen when > using pipes or backticks to get the input. It only happens in M-x > shell... when one gives lines longer than ~4096 characters. > Actually it is not buffer overflow, but buffer truncation, with NO > WARNING to the user. One day the wrong file will get removed via this > mess. > In GNU Emacs 24.0.50.1 (i486-pc-linux-gnu, GTK+ Version 2.20.0) > of 2010-05-01 on elegiac, modified by Debian > (emacs-snapshot package, version 1:20100501-1) Thanks for this nice test case. It appears it was a silly mistake (code placed in the wrong side of a #if). I've installed the patch below which should fix it, Stefan === modified file 'src/sysdep.c' --- src/sysdep.c 2010-05-04 07:40:53 +0000 +++ src/sysdep.c 2010-06-01 01:40:00 +0000 @@ -537,15 +537,6 @@ s.main.c_cflag = (s.main.c_cflag & ~CBAUD) | B9600; /* baud rate sanity */ #endif /* AIX */ -#else /* not HAVE_TERMIO */ - - s.main.sg_flags &= ~(ECHO | CRMOD | ANYP | ALLDELAY | RAW | LCASE - | CBREAK | TANDEM); - s.main.sg_flags |= LPASS8; - s.main.sg_erase = 0377; - s.main.sg_kill = 0377; - s.lmode = LLITOUT | s.lmode; /* Don't strip 8th bit */ - /* We used to enable ICANON (and set VEOF to 04), but this leads to problems where process.c wants to send EOFs every once in a while to force the output, which leads to weird effects when the @@ -558,6 +549,15 @@ s.main.c_cc[VMIN] = 1; s.main.c_cc[VTIME] = 0; +#else /* not HAVE_TERMIO */ + + s.main.sg_flags &= ~(ECHO | CRMOD | ANYP | ALLDELAY | RAW | LCASE + | CBREAK | TANDEM); + s.main.sg_flags |= LPASS8; + s.main.sg_erase = 0377; + s.main.sg_kill = 0377; + s.lmode = LLITOUT | s.lmode; /* Don't strip 8th bit */ + #endif /* not HAVE_TERMIO */ EMACS_SET_TTY (out, &s, 0);