[Emacs-bug-tracker] bug#8335: closed (buffer overrun in (x-change-window

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Emacs-bug-tracker] bug#8335: closed (buffer overrun in (x-change-window

From:	GNU bug Tracking System
Subject:	[Emacs-bug-tracker] bug#8335: closed (buffer overrun in (x-change-window-property "FOO" '(0 bad)))
Date:	Wed, 30 Mar 2011 00:54:02 +0000

Your message dated Tue, 29 Mar 2011 17:53:19 -0700
with message-id <address@hidden>
and subject line fix merged to trunk
has caused the GNU bug report #8335,
regarding buffer overrun in (x-change-window-property "FOO" '(0 bad))
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
8335: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=8335
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: buffer overrun in (x-change-window-property "FOO" '(0 bad)) Date: Wed, 23 Mar 2011 18:13:57 -0700 User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8

src/xselect.c's function x_check_property_data has a coding error, in
that it never reports an error.  This can lead to corrupted memory.
For example, the Lisp code (x-change-window-property "FOO" '(0 bad))
internally does an malloc (0) and then stores through the resulting
pointer.

This bug was found by static analysis, using gcc -Wstrict-overflow
(GCC 4.5.2, x86-64).

I plan to fix it with the following patch.

* xselect.c (x_check_property_data): Don't return wrong size.
=== modified file 'src/xselect.c'
--- src/xselect.c       2011-03-10 01:36:58 +0000
+++ src/xselect.c       2011-03-24 01:04:41 +0000
@@ -2190,7 +2190,8 @@
 ***********************************************************************/
 /* Check that lisp values are of correct type for x_fill_property_data.
    That is, number, string or a cons with two numbers (low and high 16
-   bit parts of a 32 bit number).  */
+   bit parts of a 32 bit number).  Return the number of items in DATA,
+   or -1 if there is an error.  */

 int
 x_check_property_data (Lisp_Object data)
@@ -2198,15 +2199,16 @@
   Lisp_Object iter;
   int size = 0;

-  for (iter = data; CONSP (iter) && size != -1; iter = XCDR (iter), ++size)
+  for (iter = data; CONSP (iter); iter = XCDR (iter))
     {
       Lisp_Object o = XCAR (iter);

       if (! NUMBERP (o) && ! STRINGP (o) && ! CONSP (o))
-        size = -1;
+        return -1;
       else if (CONSP (o) &&
                (! NUMBERP (XCAR (o)) || ! NUMBERP (XCDR (o))))
-        size = -1;
+        return -1;
+      size++;
     }

   return size;

--- End Message ---

--- Begin Message --- Subject: fix merged to trunk Date: Tue, 29 Mar 2011 17:53:19 -0700 User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8
I committed a fix to the trunk for this,
as part of a recent merge (bzr 103776).

For Bug#8344, the merge uses size_t rather
than EMACS_INT for argument counts as I proposed earlier,
since the argument counts are always nonnegative
and are limited just by sizes that can be counted
at the C level.
--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

[Emacs-bug-tracker] bug#8335: closed (buffer overrun in (x-change-window-property "FOO" '(0 bad))), GNU bug Tracking System <=

Prev by Date: [Emacs-bug-tracker] bug#8330: closed (Undefined macros during compilation in mm-util)
Next by Date: [Emacs-bug-tracker] bug#8336: closed (off-by-one count in tiff_load)
Previous by thread: [Emacs-bug-tracker] bug#8330: closed (Undefined macros during compilation in mm-util)
Next by thread: [Emacs-bug-tracker] bug#8336: closed (off-by-one count in tiff_load)
Index(es):
- Date
- Thread