emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problem report #85


From: Dan Nicolaescu
Subject: Problem report #85
Date: Wed, 10 May 2006 18:20:45 -0700

CID: 85
Checker: USE_AFTER_FREE (help)
File: base/src/emacs/src/fileio.c
Function: Finsert_file_contents
Description: Using freed pointer "conversion_buffer"

Event freed_arg: Pointer "conversion_buffer" freed by function "xfree" [model]
Also see events: [double_free][double_free][use_after_free][use_after_free]

4326              xfree (conversion_buffer);
4327              coding_free_composition_data (&coding);

At conditional (1): "how_much == -1" taking false path

4328              if (how_much == -1)
4329                error ("IO error reading %s: %s",
4330                       SDATA (orig_filename), emacs_strerror (errno));

At conditional (2): "how_much == -2" taking false path

4331              else if (how_much == -2)
4332                error ("maximum buffer size exceeded");
4333            }
4334    
4335          /* Compare the beginning of the converted file
4336             with the buffer text.  */
4337    
4338          bufpos = 0;

Event use_after_free: Using freed pointer "conversion_buffer"
Also see events: [freed_arg][double_free][double_free][use_after_free]
At conditional (3): "bufpos < inserted" taking false path

4339          while (bufpos < inserted && same_at_start < same_at_end
4340                 && FETCH_BYTE (same_at_start) == conversion_buffer[bufpos])
4341            same_at_start++, bufpos++;
4342    
4343          /* If the file matches the buffer completely,
4344             there's no need to replace anything.  */
4345    

At conditional (4): "bufpos == inserted" taking true path

4346          if (bufpos == inserted)
4347            {

Event double_free: Double free of pointer "conversion_buffer" in call to 
"xfree" [model]
Also see events: [freed_arg][double_free][use_after_free][use_after_free]

4348              xfree (conversion_buffer);
4349              coding_free_composition_data (&coding);
4350              emacs_close (fd);
4351              specpdl_ptr--;
4352              /* Truncate the buffer to the size of the file.  */
4353              del_range_byte (same_at_start, same_at_end, 0);
4354              inserted = 0;
4355              goto handled;
4356            }
4357    
4358          /* Extend the start of non-matching text area to multibyte
4359             character boundary.  */
4360          if (! NILP (current_buffer->enable_multibyte_characters))
4361            while (same_at_start > BEGV_BYTE
4362                   && ! CHAR_HEAD_P (FETCH_BYTE (same_at_start)))
4363              same_at_start--;
4364    
4365          /* Scan this bufferful from the end, comparing with
4366             the Emacs buffer.  */
4367          bufpos = inserted;
4368    
4369          /* Compare with same_at_start to avoid counting some buffer text
4370             as matching both at the file's beginning and at the end.  */

Event use_after_free: Using freed pointer "conversion_buffer"
Also see events: [freed_arg][double_free][double_free][use_after_free]

4371          while (bufpos > 0 && same_at_end > same_at_start
4372                 && FETCH_BYTE (same_at_end - 1) == 
conversion_buffer[bufpos - 1])
4373            same_at_end--, bufpos--;
4374    
4375          /* Extend the end of non-matching text area to multibyte
4376             character boundary.  */
4377          if (! NILP (current_buffer->enable_multibyte_characters))
4378            while (same_at_end < ZV_BYTE
4379                   && ! CHAR_HEAD_P (FETCH_BYTE (same_at_end)))
4380              same_at_end++;
4381    
4382          /* Don't try to reuse the same piece of text twice.  */
4383          overlap = same_at_start - BEGV_BYTE - (same_at_end + inserted - 
ZV_BYTE);
4384          if (overlap > 0)
4385            same_at_end += overlap;
4386    
4387          /* If display currently starts at beginning of line,
4388             keep it that way.  */
4389          if (XBUFFER (XWINDOW (selected_window)->buffer) == current_buffer)
4390            XWINDOW (selected_window)->start_at_line_beg = Fbolp ();
4391    
4392          /* Replace the chars that we need to replace,
4393             and update INSERTED to equal the number of bytes
4394             we are taking from the file.  */
4395          inserted -= (ZV_BYTE - same_at_end) + (same_at_start - BEGV_BYTE);
4396    
4397          if (same_at_end != same_at_start)
4398            {
4399              del_range_byte (same_at_start, same_at_end, 0);
4400              temp = GPT;
4401              same_at_start = GPT_BYTE;
4402            }
4403          else
4404            {
4405              temp = BYTE_TO_CHAR (same_at_start);
4406            }
4407          /* Insert from the file at the proper position.  */
4408          SET_PT_BOTH (temp, same_at_start);
4409          insert_1 (conversion_buffer + same_at_start - BEGV_BYTE, inserted,
4410                    0, 0, 0);
4411          if (coding.cmp_data && coding.cmp_data->used)
4412            coding_restore_composition (&coding, Fcurrent_buffer ());
4413          coding_free_composition_data (&coding);
4414    
4415          /* Set `inserted' to the number of inserted characters.  */
4416          inserted = PT - temp;
4417          /* Set point before the inserted characters.  */
4418          SET_PT_BOTH (temp, same_at_start);
4419    

Event double_free: Double free of pointer "conversion_buffer" in call to 
"xfree" [model]
Also see events: [freed_arg][double_free][use_after_free][use_after_free]

4420          xfree (conversion_buffer);
4421          emacs_close (fd);




reply via email to

[Prev in Thread] Current Thread [Next in Thread]