GNU bug report logs -
#35576
27.0.50; Emacs crash when reads an integer with radix > 36
Previous Next
Reported by: Tino Calancha <tino.calancha <at> gmail.com>
Date: Sun, 5 May 2019 11:38:02 UTC
Severity: normal
Found in version 27.0.50
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 35576 in the body.
You can then email your comments to 35576 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#35576
; Package
emacs
.
(Sun, 05 May 2019 11:38:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Tino Calancha <tino.calancha <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org
.
(Sun, 05 May 2019 11:38:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
emacs -Q:
;; Emacs crash when you eval the following form
M-: #37r1
;; Expected: you get the error:
;; Invalid read syntax: "integer, radix 37"
In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
of 2019-05-05
Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
System Description: Debian GNU/Linux 9 (stretch)
--8<-----------------------------cut here---------------start------------->8---
commit c5ffba787a10f80d17a0ebc7fc7e1fb0f754843d
Author: Tino Calancha <tino.calancha <at> gmail.com>
Date: Sun May 5 20:24:03 2019 +0900
src/lread.c (read_integer): Prevent from accessing a null buffer
diff --git a/src/lread.c b/src/lread.c
index 1c97805ca7..810e24d614 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2660,19 +2660,17 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
Also, room for invalid syntax diagnostic. */
size_t len = max (1 + 1 + UINTMAX_WIDTH + 1,
sizeof "integer, radix " + INT_STRLEN_BOUND (EMACS_INT));
- char *buf = NULL;
+ char *buf = xmalloc (len);
char *p = buf;
int valid = -1; /* 1 if valid, 0 if not, -1 if incomplete. */
ptrdiff_t count = SPECPDL_INDEX ();
-
if (radix < 2 || radix > 36)
valid = 0;
else
{
int c, digit;
- buf = xmalloc (len);
record_unwind_protect_ptr (free_contents, &buf);
p = buf;
@@ -2718,8 +2716,10 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
if (valid != 1)
{
- sprintf (buf, "integer, radix %"pI"d", radix);
- invalid_syntax (buf);
+ xfree (buf);
+ char str[len];
+ sprintf (str, "integer, radix %"pI"d", radix);
+ invalid_syntax (str);
}
*p = '\0';
--8<-----------------------------cut here---------------end--------------->8---
Reply sent
to
Eli Zaretskii <eliz <at> gnu.org>
:
You have taken responsibility.
(Sun, 05 May 2019 14:09:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Tino Calancha <tino.calancha <at> gmail.com>
:
bug acknowledged by developer.
(Sun, 05 May 2019 14:09:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 35576-done <at> debbugs.gnu.org (full text, mbox):
> From: Tino Calancha <tino.calancha <at> gmail.com>
> Date: Sun, 05 May 2019 20:37:08 +0900
>
> emacs -Q:
> ;; Emacs crash when you eval the following form
> M-: #37r1
>
> ;; Expected: you get the error:
> ;; Invalid read syntax: "integer, radix 37"
>
>
>
> In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
> of 2019-05-05
> Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
> System Description: Debian GNU/Linux 9 (stretch)
>
>
> --8<-----------------------------cut here---------------start------------->8---
> commit c5ffba787a10f80d17a0ebc7fc7e1fb0f754843d
> Author: Tino Calancha <tino.calancha <at> gmail.com>
> Date: Sun May 5 20:24:03 2019 +0900
>
> src/lread.c (read_integer): Prevent from accessing a null buffer
Thanks, I installed a slightly different fix (there's no need to call
xfree, since record_unwind_protect_ptr already takes care of that).
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Mon, 03 Jun 2019 11:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 326 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.