[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#23482: 24.4; stack buffer overflow in x-send-client-message

From: Kalle Olavi Niemitalo
Subject: bug#23482: 24.4; stack buffer overflow in x-send-client-message
Date: Sun, 08 May 2016 15:27:34 +0300
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/23.0.51 (gnu/linux)

Start emacs -Q in X, copy the following form to the *scratch*
buffer, and press C-j to evaluate it.  The process then crashes
and glibc reports "stack smashing detected".

(x-send-client-message nil nil nil "foo" 32 (make-list 100 0))

Although the docstring of x-send-client-message claims that
excessive values are ignored, they are actually copied to the
event.xclient.data buffer.  This bug was caused in February 2004
when Fx_send_client_event was moved from xfns.c to xselect.c
and the x_fill_property_data function was added.

This does not seem a security vulnerability though, because Emacs
fully trusts Emacs Lisp code, and if some Emacs Lisp code sends
client messages based on untrusted data, then that's already a
bug of its own.

In my fork, I fixed this by adding a nelements_max parameter to

In GNU Emacs 24.4.1 (x86_64-pc-linux-gnu, GTK+ Version 3.14.5)
 of 2015-03-07 on trouble, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11604000
System Description:     Debian GNU/Linux 8.4 (jessie)

Configured using:
 `configure --build x86_64-linux-gnu --prefix=/usr
 --sharedstatedir=/var/lib --libexecdir=/usr/lib
 --localstatedir=/var/lib --infodir=/usr/share/info
 --mandir=/usr/share/man --with-pop=yes
 --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib
 --libexecdir=/usr/lib --localstatedir=/var/lib
 --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes
 --with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars
 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat
 -Werror=format-security -Wall' CPPFLAGS=-D_FORTIFY_SOURCE=2

Important settings:
  value of $LANG: fi_FI.utf8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
M-x r e p o r t SPC e m a c s SPC b u g <return>

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Load-path shadows:
None found.

(shadow sort gnus-util mail-extr emacsbug message format-spec rfc822 mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums
mm-util help-fns mail-prsvr mail-utils time-date tooltip electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar
dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode
prog-mode register page menu-bar rfn-eshadow timer select scroll-bar
mouse jit-lock font-lock syntax facemenu font-core frame cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev
minibuffer nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
dbusbind gfilenotify dynamic-setting system-font-setting
font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs)

Memory information:
((conses 16 71460 7916)
 (symbols 48 17673 0)
 (miscs 40 38 113)
 (strings 32 9157 4731)
 (string-bytes 1 250735)
 (vectors 16 8949)
 (vector-slots 8 385259 16186)
 (floats 8 63 68)
 (intervals 56 255 50)
 (buffers 960 11)
 (heap 1024 40257 948))

reply via email to

[Prev in Thread] Current Thread [Next in Thread]