bug#31186: 27.0.50; Undefined behavior in lisp_file_lexically_bound_p

bug#31186: 27.0.50; Undefined behavior in lisp_file_lexically_bound_p

[Philipp]

Loading a file or evaluating a buffer with the following contents causes
undefined behavior, normally resulting in a segmentation fault:

;; -*- -:*-

For example:

$ emacs -Q -batch -nw -eval '(with-temp-buffer (insert ";; -*- -:*-") (eval-buffer))'
Fatal error 11: Segmentation faultAbort trap: 6

Backtrace:

(lldb) run -Q -batch -nw -l /tmp/crash.el
Process 45748 launched: '/Users/p/Entwicklung/Emacs/master/src/emacs' (x86_64)
Process 45748 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fffefbf7a8e)
    frame #0: 0x0000000100373f19 emacs`lisp_file_lexically_bound_p(readcharfun=(i = 0x0000000101505955)) at lread.c:936
   933 		      if (! in_file_vars)
   934 			/* The value was terminated by an end-marker, which remove.  */
   935 			i -= 3;
-> 936 		      while (i > 0 && (val[i - 1] == ' ' || val[i - 1] == '\t'))
   937 			i--;
   938 		      val[i] = '\0';
   939 	
Target 0: (emacs) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fffefbf7a8e)
  * frame #0: 0x0000000100373f19 emacs`lisp_file_lexically_bound_p(readcharfun=(i = 0x0000000101505955)) at lread.c:936
    frame #1: 0x000000010037563c emacs`Feval_buffer(buffer=(i = 0x0000000101505955), printflag=(i = 0x0000000000000000), filename=(i = 0x0000000101126a64), unibyte=(i = 0x0000000000000000), do_allow_print=(i = 0x000000000000b8e0)) at lread.c:2140
    frame #2: 0x000000010030a643 emacs`funcall_subr(subr=0x000000010093c920, numargs=5, args=0x00007ffeefbf7fa0) at eval.c:2910
    frame #3: 0x0000000100308bfb emacs`Ffuncall(nargs=6, args=0x00007ffeefbf7f98) at eval.c:2823
    frame #4: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x000000010055da5c), vector=(i = 0x000000010055da7d), maxdepth=(i = 0x000000000000001a), args_template=(i = 0x0000000000000000), nargs=0, args=0x0000000000000000) at bytecode.c:632
    frame #5: 0x000000010030b22f emacs`funcall_lambda(fun=(i = 0x000000010055d9dd), nargs=4, arg_vector=0x00007ffeefbf9468) at eval.c:3102
    frame #6: 0x0000000100308c4b emacs`Ffuncall(nargs=5, args=0x00007ffeefbf9460) at eval.c:2825
    frame #7: 0x0000000100309dd9 emacs`call4(fn=(i = 0x00000000076b1188), arg1=(i = 0x0000000101126a64), arg2=(i = 0x0000000101126a64), arg3=(i = 0x0000000000000000), arg4=(i = 0x000000000000b8e0)) at eval.c:2699
    frame #8: 0x000000010037172f emacs`Fload(file=(i = 0x0000000101306f34), noerror=(i = 0x0000000000000000), nomessage=(i = 0x000000000000b8e0), nosuffix=(i = 0x0000000000000000), must_suffix=(i = 0x0000000000000000)) at lread.c:1366
    frame #9: 0x000000010030a643 emacs`funcall_subr(subr=0x000000010093c8f0, numargs=3, args=0x00007ffeefbf9d58) at eval.c:2910
    frame #10: 0x0000000100308bfb emacs`Ffuncall(nargs=4, args=0x00007ffeefbf9d50) at eval.c:2823
    frame #11: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x000000010063d05c), vector=(i = 0x000000010063d07d), maxdepth=(i = 0x000000000000005e), args_template=(i = 0x0000000000000406), nargs=1, args=0x00007ffeefbfb5e8) at bytecode.c:632
    frame #12: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x000000010063d02d), nargs=1, arg_vector=0x00007ffeefbfb5e0) at eval.c:3024
    frame #13: 0x0000000100308c4b emacs`Ffuncall(nargs=2, args=0x00007ffeefbfb5d8) at eval.c:2825
    frame #14: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x0000000100637974), vector=(i = 0x0000000100637995), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfd038) at bytecode.c:632
    frame #15: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x0000000100637945), nargs=0, arg_vector=0x00007ffeefbfd038) at eval.c:3024
    frame #16: 0x0000000100308c4b emacs`Ffuncall(nargs=1, args=0x00007ffeefbfd030) at eval.c:2825
    frame #17: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x0000000100636924), vector=(i = 0x0000000100636945), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfe4d0) at bytecode.c:632
    frame #18: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x00000001006368f5), nargs=0, arg_vector=0x00007ffeefbfe4d0) at eval.c:3024
    frame #19: 0x00000001002fedb3 emacs`apply_lambda(fun=(i = 0x00000001006368f5), args=(i = 0x0000000000000000), count=4) at eval.c:2960
    frame #20: 0x00000001002efa3c emacs`eval_sub(form=(i = 0x0000000107862053)) at eval.c:2333
    frame #21: 0x00000001002faa37 emacs`Feval(form=(i = 0x0000000107862053), lexical=(i = 0x0000000000000000)) at eval.c:2108
    frame #22: 0x00000001001d9a9a emacs`top_level_2 at keyboard.c:1120
    frame #23: 0x00000001002f8e9f emacs`internal_condition_case(bfun=(emacs`top_level_2 at keyboard.c:1119), handlers=(i = 0x0000000000004a10), hfun=(emacs`cmd_error at keyboard.c:939)) at eval.c:1334
    frame #24: 0x00000001001d9741 emacs`top_level_1(ignore=(i = 0x0000000000000000)) at keyboard.c:1128
    frame #25: 0x00000001002f80a8 emacs`internal_catch(tag=(i = 0x000000000000bf10), func=(emacs`top_level_1 at keyboard.c:1125), arg=(i = 0x0000000000000000)) at eval.c:1099
    frame #26: 0x00000001001bb9a1 emacs`command_loop at keyboard.c:1089
    frame #27: 0x00000001001bb7e4 emacs`recursive_edit_1 at keyboard.c:696
    frame #28: 0x00000001001bbc11 emacs`Frecursive_edit at keyboard.c:767
    frame #29: 0x00000001001b9289 emacs`main(argc=6, argv=0x00007ffeefbff798) at emacs.c:1720
    frame #30: 0x00007fff6b0dd115 libdyld.dylib`start + 1
    frame #31: 0x00007fff6b0dd115 libdyld.dylib`start + 1

My guess is that `i' wraps around in line 935.

Found by american fuzzy lop.


In GNU Emacs 27.0.50 (build 63, x86_64-apple-darwin17.4.0, NS appkit-1561.20 Version 10.13.3 (Build 17D102))
 of 2018-04-17 built on p
Repository revision: b0d261e29e5c1ffb9bc76e3519dd7525ab1edac4
Windowing system distributor 'Apple', version 10.3.1561
System Description:  Mac OS X 10.13.3

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-pop --with-mailutils
 --enable-gcc-warnings=yes --enable-checking
 --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0''

Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES THREADS
JSON

Important settings:
  value of $LANG: de_DE.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny seq byte-opt gv
bytecomp byte-compile cconv dired dired-loaddefs format-spec rfc822 mml
easymenu mml-sec password-cache epa derived epg epg-config gnus-util
rmail rmail-loaddefs mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils time-date elec-pair
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/ns-win ns-win ucs-normalize mule-util term/common-win
tool-bar dnd fontset image regexp-opt fringe tabulated-list replace
newcomment text-mode elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core term/tty-colors frame cl-generic
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech
european ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote kqueue cocoa ns
multi-tty make-network-process emacs)

Memory information:
((conses 16 204572 6900)
 (symbols 48 19993 1)
 (miscs 40 56 173)
 (strings 32 28833 1950)
 (string-bytes 1 772113)
 (vectors 16 35272)
 (vector-slots 8 721614 13568)
 (floats 8 51 65)
 (intervals 56 210 0)
 (buffers 992 11))

bug#31186: 27.0.50; Undefined behavior in lisp_file_lexically_bound_p

[Andreas Schwab]

On Apr 17 2018, Philipp <p.stephani2@gmail.com> wrote:

> Loading a file or evaluating a buffer with the following contents causes
> undefined behavior, normally resulting in a segmentation fault:
>
> ;; -*- -:*-
>
> For example:
>
> $ emacs -Q -batch -nw -eval '(with-temp-buffer (insert ";; -*- -:*-") (eval-buffer))'
> Fatal error 11: Segmentation faultAbort trap: 6

I have installed this patch in the emacs-26 branch:

* src/lread.c (lisp_file_lexically_bound_p): Reset
beg_end_state before reading variable or value.
---
 src/lread.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lread.c b/src/lread.c
index 3104c441ec..72523c057f 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -896,6 +896,7 @@ lisp_file_lexically_bound_p (Lisp_Object readcharfun)
 	    ch = READCHAR;
 
 	  i = 0;
+	  beg_end_state = NOMINAL;
 	  while (ch != ':' && ch != '\n' && ch != EOF && in_file_vars)
 	    {
 	      if (i < sizeof var - 1)
@@ -921,6 +922,7 @@ lisp_file_lexically_bound_p (Lisp_Object readcharfun)
 		ch = READCHAR;
 
 	      i = 0;
+	      beg_end_state = NOMINAL;
 	      while (ch != ';' && ch != '\n' && ch != EOF && in_file_vars)
 		{
 		  if (i < sizeof val - 1)
-- 
2.17.0


Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."