bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Crash calling md5 for a list of buffers


From: Dmitry Antipov
Subject: Re: Re: Crash calling md5 for a list of buffers
Date: Thu, 22 Jan 2004 14:34:45 +0300
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113

Kevin Rodgers wrote:

There must be something wrong in the code in fns.c:Fmd5() that computes
and checks the buffer beginning and end when its run with object set to
the xdisp.c buffer, because either the subsequent call to
select-safe-coding-system (via Vselect_safe_coding_system_function) or
make_buffer_string is passed an end argument that is 1 larger than the
buffer size (which precipitates the Lisp error or the crash,
respectively).  Can anyone see what's wrong here?

IMHO this code is correct, but Fmd5 really has stupid error. Here it is.

If 1st arg is a string, all goes ok. If it's a buffer, we have a
'struct buffer *bp' which points to the buffer to process. For buffer
'bp' points to, we are calculating begin (b) and end (e) boundaries.
Then, after selecting coding system, we do 'make_buffer_string (b, e, 0)'.
But this function works with 'struct buffer *current_buffer', not with
'bp' ! So, if the size of buffer pointed via *bp is more than the size
of *current_buffer, we have an abort():
make_buffer_string() -> CHAR_TO_BYTE(end) -> buf_charpos_to_bytepos(...):
 ...
 if (charpos < BUF_BEG (b) || charpos > BUF_Z (b))
   abort ();
 ...
because 'b' here points to the current buffer, but 'charpos' arg is
calculated for *bp from Fmd5.

An obvious (but I'm not sure the best, btw) fix is:

...
struct buffer *bt;
...
bt = current_buffer, current_buffer = bp;
object = make_buffer_string (b, e, 0);
current_buffer = bt;
...

I've already posted it here (see my e-mail "Probably fixed..."), but
still has no reply on it :-(.

Tnanks for your help,
Dmitry





reply via email to

[Prev in Thread] Current Thread [Next in Thread]