[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Emacs-diffs] /srv/bzr/emacs/emacs-24 r108120: Fix bug #12242 with crash
From: |
Eli Zaretskii |
Subject: |
[Emacs-diffs] /srv/bzr/emacs/emacs-24 r108120: Fix bug #12242 with crashes in ralloc.c on OpenBSD. |
Date: |
Fri, 24 Aug 2012 11:26:46 +0300 |
User-agent: |
Bazaar (2.5.0) |
------------------------------------------------------------
revno: 108120
fixes bug: http://debbugs.gnu.org/12242
committer: Eli Zaretskii <address@hidden>
branch nick: emacs-24
timestamp: Fri 2012-08-24 11:26:46 +0300
message:
Fix bug #12242 with crashes in ralloc.c on OpenBSD.
src/ralloc.c (free_bloc): Don't dereference a 'heap' structure if it
is not one of the heaps we manage.
modified:
src/ChangeLog
src/ralloc.c
=== modified file 'src/ChangeLog'
--- a/src/ChangeLog 2012-08-15 16:12:37 +0000
+++ b/src/ChangeLog 2012-08-24 08:26:46 +0000
@@ -1,3 +1,8 @@
+2012-08-24 Eli Zaretskii <address@hidden>
+
+ * ralloc.c (free_bloc): Don't dereference a 'heap' structure if it
+ is not one of the heaps we manage. (Bug#12242)
+
2012-08-15 Chong Yidong <address@hidden>
* Version 24.2 released.
=== modified file 'src/ralloc.c'
--- a/src/ralloc.c 2012-06-23 11:07:01 +0000
+++ b/src/ralloc.c 2012-08-24 08:26:46 +0000
@@ -686,6 +686,7 @@
free_bloc (bloc_ptr bloc)
{
heap_ptr heap = bloc->heap;
+ heap_ptr h;
if (r_alloc_freeze_level)
{
@@ -715,20 +716,38 @@
bloc->prev->next = bloc->next;
}
- /* Update the records of which blocs are in HEAP. */
- if (heap->first_bloc == bloc)
- {
- if (bloc->next != 0 && bloc->next->heap == heap)
- heap->first_bloc = bloc->next;
- else
- heap->first_bloc = heap->last_bloc = NIL_BLOC;
- }
- if (heap->last_bloc == bloc)
- {
- if (bloc->prev != 0 && bloc->prev->heap == heap)
- heap->last_bloc = bloc->prev;
- else
- heap->first_bloc = heap->last_bloc = NIL_BLOC;
+ /* Sometimes, 'heap' obtained from bloc->heap above is not really a
+ 'heap' structure. It can even be beyond the current break point,
+ which will cause crashes when we dereference it below (see
+ bug#12242). Evidently, the reason is bloc allocations done while
+ use_relocatable_buffers was non-positive, because additional
+ memory we get then is not recorded in the heaps we manage. If
+ bloc->heap records such a "heap", we cannot (and don't need to)
+ update its records. So we validate the 'heap' value by making
+ sure it is one of the heaps we manage via the heaps linked list,
+ and don't touch a 'heap' that isn't found there. This avoids
+ accessing memory we know nothing about. */
+ for (h = first_heap; h != NIL_HEAP; h = h->next)
+ if (heap == h)
+ break;
+
+ if (h)
+ {
+ /* Update the records of which blocs are in HEAP. */
+ if (heap->first_bloc == bloc)
+ {
+ if (bloc->next != 0 && bloc->next->heap == heap)
+ heap->first_bloc = bloc->next;
+ else
+ heap->first_bloc = heap->last_bloc = NIL_BLOC;
+ }
+ if (heap->last_bloc == bloc)
+ {
+ if (bloc->prev != 0 && bloc->prev->heap == heap)
+ heap->last_bloc = bloc->prev;
+ else
+ heap->first_bloc = heap->last_bloc = NIL_BLOC;
+ }
}
relinquish ();
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Emacs-diffs] /srv/bzr/emacs/emacs-24 r108120: Fix bug #12242 with crashes in ralloc.c on OpenBSD.,
Eli Zaretskii <=