GNU bug report logs - #35576
27.0.50; Emacs crash when reads an integer with radix > 36

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 35576 in the body.
You can then email your comments to 35576 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tino Calancha <tino.calancha <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 27.0.50; Emacs crash when reads an integer with radix > 36
Date: Sun, 05 May 2019 20:37:08 +0900

emacs -Q:
;; Emacs crash when you eval the following form
M-: #37r1

;; Expected: you get the error:
;; Invalid read syntax: "integer, radix 37"



In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
 of 2019-05-05
Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
System Description: Debian GNU/Linux 9 (stretch)


--8<-----------------------------cut here---------------start------------->8---
commit c5ffba787a10f80d17a0ebc7fc7e1fb0f754843d
Author: Tino Calancha <tino.calancha <at> gmail.com>
Date:   Sun May 5 20:24:03 2019 +0900

    src/lread.c (read_integer): Prevent from accessing a null buffer

diff --git a/src/lread.c b/src/lread.c
index 1c97805ca7..810e24d614 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2660,19 +2660,17 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
      Also, room for invalid syntax diagnostic.  */
   size_t len = max (1 + 1 + UINTMAX_WIDTH + 1,
 		    sizeof "integer, radix " + INT_STRLEN_BOUND (EMACS_INT));
-  char *buf = NULL;
+  char *buf = xmalloc (len);
   char *p = buf;
   int valid = -1; /* 1 if valid, 0 if not, -1 if incomplete.  */
 
   ptrdiff_t count = SPECPDL_INDEX ();
-
   if (radix < 2 || radix > 36)
     valid = 0;
   else
     {
       int c, digit;
 
-      buf = xmalloc (len);
       record_unwind_protect_ptr (free_contents, &buf);
       p = buf;
 
@@ -2718,8 +2716,10 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
 
   if (valid != 1)
     {
-      sprintf (buf, "integer, radix %"pI"d", radix);
-      invalid_syntax (buf);
+      xfree (buf);
+      char str[len];
+      sprintf (str, "integer, radix %"pI"d", radix);
+      invalid_syntax (str);
     }
 
   *p = '\0';

--8<-----------------------------cut here---------------end--------------->8---

Message #10 received at 35576-done <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Tino Calancha <tino.calancha <at> gmail.com>
Cc: 35576-done <at> debbugs.gnu.org
Subject: Re: bug#35576: 27.0.50;
 Emacs crash when reads an integer with radix > 36
Date: Sun, 05 May 2019 17:07:47 +0300

> From: Tino Calancha <tino.calancha <at> gmail.com>
> Date: Sun, 05 May 2019 20:37:08 +0900
> 
> emacs -Q:
> ;; Emacs crash when you eval the following form
> M-: #37r1
> 
> ;; Expected: you get the error:
> ;; Invalid read syntax: "integer, radix 37"
> 
> 
> 
> In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.22.11)
>  of 2019-05-05
> Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
> System Description: Debian GNU/Linux 9 (stretch)
> 
> 
> --8<-----------------------------cut here---------------start------------->8---
> commit c5ffba787a10f80d17a0ebc7fc7e1fb0f754843d
> Author: Tino Calancha <tino.calancha <at> gmail.com>
> Date:   Sun May 5 20:24:03 2019 +0900
> 
>     src/lread.c (read_integer): Prevent from accessing a null buffer

Thanks, I installed a slightly different fix (there's no need to call
xfree, since record_unwind_protect_ptr already takes care of that).

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.