From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: YAMAMOTO Mitsuharu Newsgroups: gmane.emacs.devel Subject: Re: PATCH: fix for memory corruption and eventual crash in print.c Date: Sun, 06 Jul 2008 16:45:04 +0900 Organization: Faculty of Science, Chiba University Message-ID: References: NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Trace: ger.gmane.org 1215330329 20443 80.91.229.12 (6 Jul 2008 07:45:29 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 6 Jul 2008 07:45:29 +0000 (UTC) Cc: emacs-devel@gnu.org To: "Ami Fischman" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jul 06 09:46:15 2008 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1KFOwo-0002VN-Gs for ged-emacs-devel@m.gmane.org; Sun, 06 Jul 2008 09:46:14 +0200 Original-Received: from localhost ([127.0.0.1]:41507 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1KFOvx-0005kh-9l for ged-emacs-devel@m.gmane.org; Sun, 06 Jul 2008 03:45:21 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1KFOvp-0005hE-SV for emacs-devel@gnu.org; Sun, 06 Jul 2008 03:45:13 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1KFOvm-0005g3-BO for emacs-devel@gnu.org; Sun, 06 Jul 2008 03:45:12 -0400 Original-Received: from [199.232.76.173] (port=34389 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1KFOvm-0005ft-4A for emacs-devel@gnu.org; Sun, 06 Jul 2008 03:45:10 -0400 Original-Received: from ntp.math.s.chiba-u.ac.jp ([133.82.132.2]:63647 helo=mathmail.math.s.chiba-u.ac.jp) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1KFOvl-00059Q-CW for emacs-devel@gnu.org; Sun, 06 Jul 2008 03:45:09 -0400 Original-Received: from church.math.s.chiba-u.ac.jp (church [133.82.132.36]) by mathmail.math.s.chiba-u.ac.jp (Postfix) with ESMTP id EDABF2C44; Sun, 6 Jul 2008 16:45:04 +0900 (JST) In-Reply-To: User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/23.0.50 (sparc-sun-solaris2.8) MULE/5.0 (SAKAKI) X-detected-kernel: by monty-python.gnu.org: NetBSD 3.0 (DF) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:100382 Archived-At: >>>>> On Sat, 5 Jul 2008 21:11:14 -0700, "Ami Fischman" said: > src/print.c:print_object() has this code: > 1570 if (NILP (Vprint_circle) && NILP (Vprint_gensym)) > [...] > 1581 being_printed[print_depth] = obj; > [...] > 1611 print_depth++; > 1612 > 1613 /* See similar code in print_preprocess. */ > 1614 if (print_depth > PRINT_CIRCLE) > 1615 error ("Apparently circular structure being printed"); > Note that being_printed[print_depth] is assigned to /before/ print_depth is > checked for exceeding PRINT_CIRCLE (the declared size of being_printed). This reminds me of a similar buffer overrun that had existed in `print_preprocess' also with respect to `being_printed'. http://lists.gnu.org/archive/html/emacs-devel/2004-07/msg00146.html I think a fix for `print_object' should go to the EMACS_22_BASE branch as well as the trunk so it may not be missed. Another candidate for the inclusion to the EMACS_22_BASE branch would be the PNG background color bit-depth fix below: 2008-05-09 Chong Yidong * image.c (png_load): Use correct bit-depth for setting background color. YAMAMOTO Mitsuharu mituharu@math.s.chiba-u.ac.jp