[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#11288: avoid buffer overrun in display code

From: Jim Meyering
Subject: bug#11288: avoid buffer overrun in display code
Date: Fri, 20 Apr 2012 13:42:05 +0200

This bug leads to a seemingly unterminated loop in swap_glyph_pointers,
when compiled with gcc-4.8.0 (from April 19 or newer).
At first I thought it was a code-gen bug and reported it as
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53053.  But then Richard
Guenther guessed at the cause and Jakub Jelinek confirmed that the
seemingly-infinite-loop was in fact just part of the undefined behavior
we may now expect from buggy code.

2012-04-20  Jim Meyering  <address@hidden>

        * dispextern.h (glyph_row.used): Increase size by 1, to avoid buffer
        overrun in swap_glyph_pointers, which reads and writes used[LAST_AREA].
        Reported as a gcc bug http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53053
        where Jakub Jelinek spotted the root cause.

=== modified file 'src/dispextern.h'
--- src/dispextern.h    2012-03-26 05:43:05 +0000
+++ src/dispextern.h    2012-04-20 11:14:29 +0000
@@ -748,7 +748,7 @@
   struct glyph *glyphs[1 + LAST_AREA];

   /* Number of glyphs actually filled in areas.  */
-  short used[LAST_AREA];
+  short used[1 + LAST_AREA];

   /* Window-relative x and y-position of the top-left corner of this
      row.  If y < 0, this means that eabs (y) pixels of the row are

reply via email to

[Prev in Thread] Current Thread [Next in Thread]