[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#24118: closed (25.1; [PATCH] Fix a possible crash

From: GNU bug Tracking System
Subject: [debbugs-tracker] bug#24118: closed (25.1; [PATCH] Fix a possible crash caused by mapcar1)
Date: Wed, 03 Aug 2016 01:17:02 +0000

Your message dated Tue, 2 Aug 2016 18:15:53 -0700
with message-id <address@hidden>
and subject line Re: 25.1; [PATCH] Fix a possible crash caused by mapcar1
has caused the debbugs.gnu.org bug report #24118,
regarding 25.1; [PATCH] Fix a possible crash caused by mapcar1
to be marked as done.

(If you believe you have received this mail in error, please contact

24118: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24118
GNU Bug Tracking System
Contact address@hidden with problems
--- Begin Message --- Subject: 25.1; [PATCH] Fix a possible crash caused by mapcar1 Date: Sun, 31 Jul 2016 20:46:50 +0800
Processing a list with `mapcar' or `mapconcat' can be terminated early
when the list is tampered (as shown in the following example), and as a
result we'll be dealing with uninitialized memory which will likely
trigger a crash.

  (setq a (make-list 10 0))
  (mapcar (lambda (_)
            (setcdr a nil))



* src/fns.c (mapcar1): Check and reset uninitialized list elements.
 src/fns.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/fns.c b/src/fns.c
index d5a1f74..1804bce 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -2524,6 +2524,10 @@ mapcar1 (EMACS_INT leni, Lisp_Object *vals, Lisp_Object 
fn, Lisp_Object seq)
            vals[i] = dummy;
          tail = XCDR (tail);
+      /* In case the list was tampered and the loop terminated early. */
+      if (i < leni)
+        memclear (vals + i, (leni - i) * word_size);

--- End Message ---
--- Begin Message --- Subject: Re: 25.1; [PATCH] Fix a possible crash caused by mapcar1 Date: Tue, 2 Aug 2016 18:15:53 -0700 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 Thanks for the bug report. I installed the attached more-adventurous patch, which truncates the result rather than extending it with nils. This seems a bit more appropriate anyway.

Although it no longer matters for this patch, memclear is specified to store nil values regardless of how nil is represented. Of course memclear's current implementation assumes Qnil is zero, and memclear can't be portably and easily implemented if we merely change Qnil to be nonzero, but that's a bridge we don't have to cross unless we change Qnil to be nonzero.

Attachment: 0001-Fix-mapcar-F-S-crash-when-F-alters-S-s-length.txt
Description: Text document

--- End Message ---

reply via email to

[Prev in Thread] Current Thread [Next in Thread]