GNU logs - #51105, boring messages


Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 09 Oct 2021 00:31:01 +0000
Resent-Message-ID: <handler.51105.B.16337394483493 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: 51105 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-gnu-emacs@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.16337394483493
          (code B ref -1); Sat, 09 Oct 2021 00:31:01 +0000
Received: (at submit) by debbugs.gnu.org; 9 Oct 2021 00:30:48 +0000
Received: from localhost ([127.0.0.1]:52113 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZ0GF-0000tb-BC
	for submit <at> debbugs.gnu.org; Fri, 08 Oct 2021 20:30:48 -0400
Received: from lists.gnu.org ([209.51.188.17]:59112)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZ0GD-0000rx-S9
 for submit <at> debbugs.gnu.org; Fri, 08 Oct 2021 20:30:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48880)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mardani29@HIDDEN>)
 id 1mZ0GD-0006jl-H4
 for bug-gnu-emacs@HIDDEN; Fri, 08 Oct 2021 20:30:45 -0400
Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:41566)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <mardani29@HIDDEN>)
 id 1mZ0GA-0007c1-74
 for bug-gnu-emacs@HIDDEN; Fri, 08 Oct 2021 20:30:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633739437; bh=X8j5aMGFBhQVPOjLwAMS5ZiI0YLjq39S5ygV/095g6Y=;
 h=From:To:Subject:Date:References:From:Subject:Reply-To;
 b=SHNOY4ZsnRG1SAGNZ0v/q7XSZ82FjjxllI2YeQNnJwfHF6AVFcb3DrHxJ+W/SFdTnHjDHUuUYAjNwSOwu/yyeUwPwQlSO4onMaptV/28HkV8Fyx18oO3SMAg2fXymoL/QvNBevh1ftBZ0j5Roj3G8hBqq1k9eW5F/FxvZAS+yYWkcwGT606EMJT/hJM9RD1mpvVr1N6immYCC/XNQi4K7+cETDp9cd+G5c/YkJFZlee6B3p3O7hr/qBEAgCGFSQ6rn/RJ8npr0qdwJBK10RPfm/jtSGHKsbLDQyM4CY/LcDewnRR2/gO4gJqhatQMYq7Vhjy4vdfgC4BrBrvt9Wl/g==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633739437; bh=sVVVp+bTRFlWWJkVsNqTEksKK4uZJ/KRkq/yw/CcBM0=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=QLpBpvzt3uEIy7NAFAUJZ2K9SsKRdU4FmUDYOLadQkUEI4dTmBP0AyUvkgC7+NGYsyFai6KFLthzqg19E68bj1wDWNMCvFGO946ijPmnUBx7h1d3hlVgT8Q1QgMihdvyLCVoLQHvgfUrcwwOOz7bdnitc0Vv5dJpjuLVt6ai0Gf2//cVJp4yKhPKcAlh8Q5rb2xWNOCy24/CSvw4J+kHUEfMtySSqIbtc/9eMtOSw4lw1lD4GE+ZaxQG1Cq2vNMkt5KEKT6BdA9bDFStKGoPd92Edk7LKrMV7vDdAZW3nf1c0CHYZgDyzqOlHB3G12gigsjF1RjhrlUkkOlpn3oECw==
X-YMail-OSG: 72LaS34VM1lBp1qfSO7RL9iXboJopdcDKztEhewAT5Z0TOoy_4luFZyYZvrcyGJ
 aAoLnjHk8ZWvbHT45Cf6n5WKOGyHUGG4aPox5mQz9lFZZimNQoIOJUgGCqFNOsATUFwlQlUHh3Uv
 jRMhkDRUxvr2_j4D2be8k9j2W4sACBxtr6J3lwCxFSzaTz763hZYjyoVDpc5qPsTTBSuk5iFcTy1
 92kxBgyf2dknBsV8pAmij1xLBkQLh11o1FP3rbfpYBmot4M2HRqCMDoOeTjz850OwSr.ewcpFYNc
 ZU_dshY0W91BmohWn6tyeapXVIzzGWR8R79WxHMohQa7LwAyfGpO1d.mLp1AtJ2nSCUwzqQiJk7M
 Nw27_kCR2K0jO48Mm996gcf3wWdnpHjZNzgNkKYFOC9VAs7FEjh5w7rhZRnW7EvE5sLBF3GKxwqo
 1TcfxLhc2yNRHeeFsrN3_1tZf4CXC.i0E7NBjBwQrd.Dbzzv5bqp46ZB.9x28Ig_P7wGLyyopids
 cucOa0faOjp2lv5ahAm8uKnDGDCLk3XoOCHGaH7oRgX4P8KjbnTU9YnDj_PJ0pVmAq0xk8HfNwCm
 JTPy4_wCSJivuapXtvVrkpoq05UWztAqC0SX3Q0EqKHW7ZsRn_RHNGTdNSR9jGlUrN5Jiq96B6Ta
 CVE_BC.J0pKCi6iCKeb26NWVLRthJJDMUeC46oGc48VZj5BIRZL.5oRK_H0jfCOpBTBmjMWNW1eF
 KYlsnQSfnozxtgtNyQ4F4839iS4_MRI0syI2h15keieSI.nnKZfysOXPQva4U4lWKncDXGu2H.iT
 Opb6Eauy3wIE36_KLDcUn0ZrC7r2TprslBQ8gXPz66ElQKNRfDhzZfAqyUHnTZbztLCpYj_MgGTV
 VfSXA9v4qrksrcbMpRAtgSMfcsL40seoKxY5oaoDR8lRLr.KLWGnPdyB51Fwee52OZlv4hkcy0nj
 Rc.66fcg7icFgubxUrM65REib6y3MNguuJclaRG3MaU6SgMYvePoadrZY9u4JVRqhMHMxM6BN0yS
 eIaucDWOETKnbSwvWgohKE370xkjMhftBzHp7u9pjdgKcgWPE1AE6M7g6M9984emHxA61Ksl3ghl
 1qwcK.nMSrhhKXK9sm0rBIxAhI2B2ORVWI.nymXDDivnx_wcvkb9hsW_9_hjU8B0TDxz35easKcv
 Tlbg3ROaeKhDACm0hWLuRM2vbUEyok7HlMJx2qXssDlZ6gSigiZADCpHLwZFLaLAGxplhh8mn8Wi
 UEyB5X8WCoFi.0FxDEvmSqupzNjpdj.QLVrcA.IFSBd.7CWt96BdKnVr27JidBjGLT_XW.JZ0ZZI
 GokkWVtts6k6rLotpDb2UZz19CpEkg9hWASDlEBhlCOvZwdfw26hQFrjiFsb6tdEP9Yqk4KEtLt6
 IyWaJY2ityvhaO4BWyCzCcM2qago5Mc.jbgQdiFJes4Fu_6m_U2JXc7kufvDOGr6Ws8ND1bRzwjy
 zOkKuA.zlGQK2UvJ4VM_2Q46kepGHJ5OrYnrmXNSl78DNrMRGa65EGJtMx8gP6afjUKpdBy4MJU7
 FzB8byFpEjvUpqlSU9zXL92I.JKYWp23.Qe8qyIwaPMxqy0cDAEyR2cp.SnHfQjsbLBo.YkPgzKm
 tshAw07_uM94gybu4B4ZnUy3TLqPXwY4JCYeAw2OSbM0R6CJ0dGe02LdIoyAbx.koOuPYlaCXlU4
 avmGFn2pL.uKUiOFW7Nw2gtBs_zg9w50UWCQOlsjsaOH5rKxhudqJfblz9yuJ1Lmn0A5ZV4SWVMX
 afBuNoucxYzx4twEC94QcjYdhS.zIQAk1D3qP5BZ9y9Xf9AZpLG7xtD5gocMiohMlzi2Wvzy.Szj
 toZnP2XVv1cMXyX1XTfVsk2aic8rHIeNArWY8FeFkamrtbVBqDnUledYxwup.cNV3yFVMaZK7Ccf
 kgdAaOjFue6vPss9MtLsri3Etr1zFfzn6h11PtxGhT9kObt4weMRjrRu5cm3aKmWFT9J5P5ITYIC
 GRgIfSVZaB2tjahs5QRVWLe.QDGL4D3kBPnGxkG39Sml5PTYkPPoCsAFJVeOH3SD8vNPOUESsWAW
 KsV2nDvhFLsmqNH_05aJSSy.OXl5vdSBYRuS9TjSzOKCbXzxrCiEzsWzrfYXEYmiV24LFMNpL1SV
 a0fvq__d2vRbksCrhMjYlp8zKmpJMCh5rnNx4hVflytY8cU7MEkIbquU4tw--
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 00:30:37 +0000
Received: by kubenode521.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 48833493ecb42c401f6e9699cd612d11; 
 Sat, 09 Oct 2021 00:30:34 +0000 (UTC)
From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Date: Sat, 09 Oct 2021 02:30:33 +0200
Message-ID: <m17den59au.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
References: <m17den59au.fsf.ref@HIDDEN>
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 8212
Received-SPF: pass client-ip=77.238.179.188; envelope-from=mardani29@HIDDEN;
 helo=sonic313-21.consmr.mail.ir2.yahoo.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)


There is a buffer overflow bug in the function
ns_compute_glyph_string_overhangs with some particular information
received from the display engine.

(I haven't reduced the test case yet so you may not reproduce the
issue with the following recipe.)

  emacs -Q

Attach a debugger to the Emacs process and add the following
conditional breakpoint:

  br set -f nsterm.m -l 2853 -c 's->nchars==0'

Continue running Emacs

  M-x eww RET wikipedia.org RET

The debugger will stop with the following backtrace:

* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  * frame #0: 0x000000010e25a20e emacs`ns_compute_glyph_string_overhangs(s=0x00007ffee232ef40) at nsterm.m:2853:7
    frame #1: 0x000000010da4cbdf emacs`draw_glyphs(w=0x00006210000ac130, x=66, row=0x000062b00029ae00, area=TEXT_AREA, start=0, end=12, hl=DRAW_NORMAL_TEXT, overlaps=0) at xdisp.c:29036:4
    frame #2: 0x000000010da49bd0 emacs`gui_write_glyphs(w=0x00006210000ac130, updated_row=0x000062b00029ae00, start=0x0000629001be4200, updated_area=TEXT_AREA, len=12) at xdisp.c:31179:7
    frame #3: 0x000000010d90bc4d emacs`update_text_area(w=0x00006210000ac130, updated_row=0x000062b00029ae00, vpos=28) at dispnew.c:3934:2
    frame #4: 0x000000010d902191 emacs`update_window_line(w=0x00006210000ac130, vpos=28, mouse_face_overwritten_p=0x00007ffee2331720) at dispnew.c:4177:11
    frame #5: 0x000000010d8d84f7 emacs`update_window(w=0x00006210000ac130, force_p=true) at dispnew.c:3680:19
    frame #6: 0x000000010d8d9bbc emacs`update_window_tree(w=0x00006210000ac130, force_p=true) at dispnew.c:3405:14
    frame #7: 0x000000010d8d67e6 emacs`update_frame(f=0x00006210000ad530, force_p=true, inhibit_hairy_id_p=false) at dispnew.c:3240:18
    frame #8: 0x000000010d9db568 emacs`redisplay_internal at xdisp.c:16160:16
    frame #9: 0x000000010d9eb0a9 emacs`redisplay_preserve_echo_area(from_where=12) at xdisp.c:16429:7
    frame #10: 0x000000010e0cb8e1 emacs`wait_reading_process_output(time_limit=0, nsecs=0, read_kbd=-1, do_display=true, wait_for_cell=0x0000000000000000, wait_proc=0x0000000000000000, just_wait_proc=0) at process.c:5789:7
    frame #11: 0x000000010dd99c82 emacs`kbd_buffer_get_event(kbp=0x00007ffee23371c0, used_mouse_menu=0x00007ffee23386c0, end_time=0x0000000000000000) at keyboard.c:3924:4
    frame #12: 0x000000010dd9825e emacs`read_event_from_main_queue(end_time=0x0000000000000000, local_getcjmp=0x00007ffee2338300, used_mouse_menu=0x00007ffee23386c0) at keyboard.c:2198:7
    frame #13: 0x000000010dd6a19a emacs`read_decoded_event_from_main_queue(end_time=0x0000000000000000, local_getcjmp=0x00007ffee2338300, prev_event=0x0000000000000000, used_mouse_menu=0x00007ffee23386c0) at keyboard.c:2262:11
    frame #14: 0x000000010dd632c8 emacs`read_char(commandflag=1, map=0x00006290003eb8a3, prev_event=0x0000000000000000, used_mouse_menu=0x00007ffee23386c0, end_time=0x0000000000000000) at keyboard.c:2892:11
    frame #15: 0x000000010dd58e1d emacs`read_key_sequence(keybuf=0x00007ffee23393a0, prompt=0x0000000000000000, dont_downcase_last=false, can_return_switch_frame=true, fix_current_buffer=true, prevent_redisplay=false) at keyboard.c:9619:12
    frame #16: 0x000000010dd539f3 emacs`command_loop_1 at keyboard.c:1392:15
    frame #17: 0x000000010dfa45d9 emacs`internal_condition_case(bfun=(emacs`command_loop_1 at keyboard.c:1278), handlers=0x0000000000000090, hfun=(emacs`cmd_error at keyboard.c:936)) at eval.c:1453:25
    frame #18: 0x000000010dd52903 emacs`command_loop_2(handlers=0x0000000000000090) at keyboard.c:1133:11
    frame #19: 0x000000010dfa2ff9 emacs`internal_catch(tag=0x000000000000df80, func=(emacs`command_loop_2 at keyboard.c:1129), arg=0x0000000000000090) at eval.c:1184:25
    frame #20: 0x000000010dd50f81 emacs`command_loop at keyboard.c:1111:2
    frame #21: 0x000000010dd50c9b emacs`recursive_edit_1 at keyboard.c:720:9
    frame #22: 0x000000010dd5147a emacs`Frecursive_edit at keyboard.c:803:3
    frame #23: 0x000000010dd4a05a emacs`main(argc=2, argv=0x00007ffee233a310) at emacs.c:2310:3
    frame #24: 0x00007fff20496f3d libdyld.dylib`start + 1

This line in nsterm.m will be executed and is problematic:

  codes[1] = *(s->char2b + s->nchars - 1);

When s->nchars is 0, the code will reference one position before
s->char2b.

I have two questions:

1) Is there any reason the function chooses the first and last glyphs
instead of passing the whole glyph string and rely on text_extents to
perfom boundary checks? That is, I propose:

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..207da60481 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2853,11 +2853,7 @@ Hide the window (X11 semantics)
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
+      font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
       s->left_overhang = -metrics.lbearing;
       s->right_overhang
 	= metrics.rbearing > metrics.width

This way to call the text_extents API is also implemented in w32term.c
and xterm.c.

2) The root cause of the issue may be that s->nchars is 0 when it
shouldn't.  Is there any legitimate scenario where the display engine
may call this routine with s->nchars equal to 0? If so, what are those
situations?


In GNU Emacs 29.0.50 (build 1, x86_64-apple-darwin20.6.0, NS appkit-2022.60 Version 11.6 (Build 20G165))
 of 2021-10-09 built on Daniels-MacBook-Pro.local
Repository revision: 36d7c4af7c83c4f3ea9ab9fdd0822b986564d78e
Repository branch: master
Windowing system distributor 'Apple', version 10.3.2022
System Description:  macOS 11.6

Configured using:
 'configure 'CFLAGS=-O0 -g3''

Configured features:
ACL DBUS GIF GLIB GMP GNUTLS JPEG JSON LCMS2 LIBXML2 MODULES NOTIFY
KQUEUE NS PDUMPER PNG RSVG THREADS TIFF TOOLKIT_SCROLL_BARS XIM ZLIB

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  show-paren-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  indent-tabs-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
rfc822 mml mml-sec epa derived epg rfc6068 epg-config gnus-util rmail
rmail-loaddefs auth-source cl-seq eieio eieio-core cl-macs
eieio-loaddefs password-cache json map text-property-search time-date
seq gv subr-x byte-opt bytecomp byte-compile cconv mm-decode mm-bodies
mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs
cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils
iso-transl tooltip eldoc paren electric uniquify ediff-hook vc-hooks
lisp-float-type elisp-mode mwheel term/ns-win ns-win ucs-normalize
mule-util term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list replace newcomment text-mode lisp-mode prog-mode register
page tab-bar menu-bar rfn-eshadow isearch easymenu timer select
scroll-bar mouse jit-lock font-lock syntax font-core term/tty-colors
frame minibuffer cl-generic cham georgian utf-8-lang misc-lang
vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932
hebrew greek romanian slovak czech european ethiopic indian cyrillic
chinese composite emoji-zwj charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice button
loaddefs faces cus-face macroexp files window text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads dbusbind kqueue cocoa ns
lcms2 multi-tty make-network-process emacs)

Memory information:
((conses 16 49678 8809)
 (symbols 48 6572 1)
 (strings 32 17870 1691)
 (string-bytes 1 591830)
 (vectors 16 12905)
 (vector-slots 8 177066 9811)
 (floats 8 21 51)
 (intervals 56 191 0)
 (buffers 992 10))




Message sent:


Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Subject: bug#51105: Acknowledgement (29.0.50; Buffer overflow bug in
 ns_compute_glyph_string_overhangs)
Message-ID: <handler.51105.B.16337394483493.ack <at> debbugs.gnu.org>
References: <m17den59au.fsf@HIDDEN>
X-Gnu-PR-Message: ack 51105
X-Gnu-PR-Package: emacs
Reply-To: 51105 <at> debbugs.gnu.org
Date: Sat, 09 Oct 2021 00:31:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 bug-gnu-emacs@HIDDEN

If you wish to submit further information on this problem, please
send it to 51105 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
51105: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D51105
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems


Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Eli Zaretskii <eliz@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 09 Oct 2021 06:41:01 +0000
Resent-Message-ID: <handler.51105.B51105.163376165120101 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Cc: 51105 <at> debbugs.gnu.org
Received: via spool by 51105-submit <at> debbugs.gnu.org id=B51105.163376165120101
          (code B ref 51105); Sat, 09 Oct 2021 06:41:01 +0000
Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 06:40:51 +0000
Received: from localhost ([127.0.0.1]:52235 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZ62N-0005E9-2V
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 02:40:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:35984)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1mZ62L-0005Dw-8j
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 02:40:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:48240)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eliz@HIDDEN>)
 id 1mZ62B-0000TT-72; Sat, 09 Oct 2021 02:40:41 -0400
Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:2697
 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1mZ61y-0003of-8h; Sat, 09 Oct 2021 02:40:38 -0400
Date: Sat, 09 Oct 2021 09:40:09 +0300
Message-Id: <83bl3yya46.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
In-Reply-To: <m17den59au.fsf@HIDDEN> (bug-gnu-emacs@HIDDEN)
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Sat, 09 Oct 2021 02:30:33 +0200
> From:  Daniel Martín via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN>
> 
> 2) The root cause of the issue may be that s->nchars is 0 when it
> shouldn't.  Is there any legitimate scenario where the display engine
> may call this routine with s->nchars equal to 0? If so, what are those
> situations?

I think if the glyph string has composition glyphs, nchars can be
zero.  What is the value of s->first_glyph->type in the case where it
happens?




Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 09 Oct 2021 10:07:01 +0000
Resent-Message-ID: <handler.51105.B51105.163377401115400 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Eli Zaretskii <eliz@HIDDEN>
Cc: 51105 <at> debbugs.gnu.org
Received: via spool by 51105-submit <at> debbugs.gnu.org id=B51105.163377401115400
          (code B ref 51105); Sat, 09 Oct 2021 10:07:01 +0000
Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 10:06:51 +0000
Received: from localhost ([127.0.0.1]:52317 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZ9Fi-00040K-QX
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 06:06:51 -0400
Received: from sonic309-24.consmr.mail.ir2.yahoo.com ([77.238.179.82]:39985)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZ9Fg-000405-Uf
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 06:06:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633774003; bh=Xfczk1Qe2Isq7VtF8oiJ2E5hS6/BIcQ37H8NvspKWk4=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=gPsigan+Q5XpKAPsSTODFTu/2704OQKYb7m0+7txhP7c+ZOkShoXDAqac5W7eLOGd3Rn7dLw4aLPzVQkTjleoOdFtnYIZGgyiOjRzXCOSYaBViDJ0xoK4ZEtBHcueVgjus4h8glcDWCU6x6a4BPYwHg2OKIpHJ3sN3NavL2Aysbc210mj69zu6a6aOTptrOWjAda+lq6tMaJ9j07AGYcMDjuhzfbxx852/D+peVwuf2U838736JJeJB08oU+YyZbkXh8Gu2re1zuniDBEgBjh2b5Q29Nl8Jkk3gioxprC8XiRJRmYIZmoRYs+SHvJh22g8DYTgEhBwuC+MqJk11vIw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633774003; bh=LznyBxAZlL8+tX2jx3OzcwV7jbtV4kK3nlcPTWXilGL=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=jiEjTrfHt931MTCVZd0mD5kIWovM8Dj3f0kvCFS43ras8seXFYWIV4N/vp6ITF/0kZ5j04DEwklk9F9lsK6mUKWQFHWI51UyI0hh/d0CshTJbS/Y/eG8ptfEjObBBIb7qH9TnQOcgEZ2I+AjOLEft42nBWc9H2BnuAQywfsFTZwDbxanxWXsv+t9GIMB4jy+zgJWD2qnoI6HH+vd5Qpi9/MvgJcyoVXCTH1SM/WGky34XYMp7tbmtevlsysK0yfo5a/6j1ZiQyj3cB+EtCZbsbgCQAEgMAW8ZRqfQ/dVAzpZgs6Qb73d/sKwN/wdaf+iY8L2AJnn5vV0UdEp0Bm+cw==
X-YMail-OSG: CqWzhnwVM1la.wQMDffG8JoTnWKTTdvY_6iT7qKyrvAmHB1jiBraHuuwMlp3BA7
 pj6S_tshs_PMKLzLFCcCUrjCQozcFyxg.1MoIIGSS8Ahx8MkNZSqO56f7.EHN3QRVyDDw1Ty473y
 NzL903pdt0dnvElrrYtFx3.rhgNYIzEaVTdIdGdL49wiLem9PMjwOFSnbkBZeVtHfF90CAXI6Ulh
 K6ATTCt7j70ojtctCSKh0wz3IONqVmk48JdRsxv0uexa3a2tB1wUYWWEd9BSDDT1dvYN8dWnMl7W
 .fQW4thg_5g76C9zJd6_aIRKBH3OoUy8xGde084Ha7CKMMkbv2XfNpBh6clF8L2X4X.tNRRuL5Gn
 inkZmjoO0Ns1pdVLc9HvFrSMrrAawor4LwwSIeGiIN.mNtmoqgPBUCYvE5Dr6LEc_40sArYamTvp
 IuiJQkvlOkaL6sYbqNKpCBnIxBWuqmmC2SF5j.1LWSJVMduueSUSTUBWfGSHds2zkltnPyH.6OOy
 VGBRuzlLJDDIkRuU.4LvUb3vd8F51YFyPOcgHWF2KxqEiAqHQxz0HXgm8oMq4G4HsRzLfhlMeQP5
 xU1Skhi1CG8xYkNQwwaTEIiVILJQZwKnVFgQ_1_TCB6wOho6UKk_3YR3IMWwoFcFN3x_YREDxDgp
 xTdL4SxkKmUxgGwdSntw84BBDZe8KZWYlfBAztn8Yp6Y9qtjP7ZqQ8dkXmCp3hF97lDrDEkUOs6Z
 paXpdKPNC4EchJ_M2jIjO9rJhzWXEsDkPtTDhgTnQf3SPJ3iWKMtNXQeEU2gj6lZ00XFXmR2.b9O
 EX04SA2wGmz7peg2Gx_g27FKK2lQjNFs_eCA5EYYtRPnPRvESq4ApUCHFrzk9NtN6G_xr_cMdKGc
 FLueXroKVGSzskwFN9kVqgNm.40TLcLL8kIZM6SBLnVLf7o38mAX3tuJoqfnbk3LGmnz.Qn53NCk
 uO7KjZykSVj8pDs39pX3WZqIPGk.mFCP.mcg230BmV8poOvQdD9XS.extbF0mD4sIoVr5nvN418x
 AE8n9k.kkkO6JSRL2LkGTe5ESYgPX0QKzUQN4oGT3p3Ot._cJ.lY_BANXJVWFN0UCEvwD3N1zwEC
 s_LELJLWprREbLJCVzaPyILWa.YVPe.MBaTLZpVMak9BeOoLIr1Jkk8wpmtu8ga6HwosKME0xnYC
 JMDUPbVGJ.KEy4cWo_cvjVTEwkZAoNPX.KCWPrBXAjen8KsFlJLZZoV_rQD5oVxHiPysSFBFRh3T
 EFL7u3beV8bdWY_yGiZsH7kbKopIGKwg0uXoYRkoLba1dTzwRZoZzmcpxNJsZCWyqDCH2TypPZ2a
 xerEtmAx9UFhzUkm.n7q0b4hc3aU66mawl1_.PJxhEF7XHK_bfl3vZPRTZDmRMqCuB3M2Ryrcozt
 UgdUbZQ9c7JFdODSQU2BWCDQb9OVPsxzyQs80Y2JT8Ky3DI3IdrngiPdNsgoOMFVMywVXqOoBxxX
 Sy64Vc1GY7VpZsH73Uu965cexzV9A2kHHVMBNBpDog8gaCm3zX_52RFSWqH_D7u4JA2hc65EEk8X
 bJvTa0QU0o5vTnyoszNqP_tsBgyBh26pC_dk_ofnw0W0TblBwrHD6sxtrSPOqVEfjgfZyjm6QHa1
 N9YuOi_7L5YtS8g1sYsl07MzgLc8y3BVeWocP0A3eBqUlX_vMS8t_XsCUCLXwnxuHdNiBQN_oCnL
 CD32FypmlYUOBQPHe8KcQzqQgCbEINmuvF851Nt8ERJ14V5efn3o.v42qxWlg8BdX3oezexfl9Zd
 JZQ1GwzDEYHPOU3VaI4gqhLMVH0ZkBmL06UZdpyWUaL0j.EIZW5GjlCqgBPlBaDiHEwllSWm4uHJ
 gRmZwRfZh2B.gBv8A1c6kqDtNdV7KhU1t7gCU6ksDOl_3Oxs4jvDJ2yrFAFK2E32YbCM1VtfusQC
 ejO8hJWz_b4obZB9r9pytF2Qa.Kw_a5ddmj0ID8TNP1uvTDjPzsWQ1kZheyOMDO6ux2kCmL_tP5O
 A9vtAjedo.76UzpMpbTgR3sPSu36klBVHTdjnDZClIjJHPoSiyEg9UHVFTal0kQXOWeENiAlZPJT
 Qn5rqddWCBdXhYqfXv7iArqHjQwkfWEBVlnLC27rbMYCZt9EEK.YeEfM1ffZmj2rd7.qLM2tfehf
 Mnx17wmN1MZ1HJYsTirXOvr.D_0ijLYb2lSBmVCiF35L0b22ZeBt2j1I7k8KysMGjHmWenxyMb9j
 qjC0EFUhTmdvg
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic309.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 10:06:43 +0000
Received: by kubenode527.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 4c2a9959af849393f228a3b0fdd67703; 
 Sat, 09 Oct 2021 10:06:37 +0000 (UTC)
From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN>
Date: Sat, 09 Oct 2021 12:06:36 +0200
In-Reply-To: <83bl3yya46.fsf@HIDDEN> (Eli Zaretskii's message of "Sat, 09 Oct
 2021 09:40:09 +0300")
Message-ID: <m1r1cu4imr.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 1602
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Eli Zaretskii <eliz@HIDDEN> writes:

>> Date: Sat, 09 Oct 2021 02:30:33 +0200
>> From:  Daniel Mart=C3=ADn via "Bug reports for GNU Emacs,
>>  the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN>
>>=20
>> 2) The root cause of the issue may be that s->nchars is 0 when it
>> shouldn't.  Is there any legitimate scenario where the display engine
>> may call this routine with s->nchars equal to 0? If so, what are those
>> situations?
>
> I think if the glyph string has composition glyphs, nchars can be
> zero.  What is the value of s->first_glyph->type in the case where it
> happens?

Yep, it seems so:

(lldb) fr v s->first_glyph->type
(unsigned int:3) s->first_glyph->type =3D 1

I've found a 2006 commit that seemed to handle this particular pointer
arithmetic logic for when the type of the first glyph is STRETCH_GLYPH:
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3D825de9a1027073beae=
c38ab1572e9d954f8a1eb0

Now I think that the right thing to do may be to modify nsterm.m, switch
on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call
composition_gstring_width to get the glyph metrics.  Function
composition_gstring_width uses the values from fields s->cmp_from and
s->cmp_to, and would avoid the buffer overflow:

(lldb) fr v s->cmp_from
(int) s->cmp_from =3D 6
(lldb) fr v s->cmp_to
(int) s->cmp_to =3D 7

WDYT? I can prepare a patch of this type if you agree.

I'll try to get the sequence of codepoints from the glyph string in the
debugger, so we can have a reduced test case (ie. the exact string from
the Wikipedia's front page that causes the issue).




Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Eli Zaretskii <eliz@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 09 Oct 2021 11:44:01 +0000
Resent-Message-ID: <handler.51105.B51105.163377983217906 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>, Alan Third <alan@HIDDEN>
Cc: 51105 <at> debbugs.gnu.org
Received: via spool by 51105-submit <at> debbugs.gnu.org id=B51105.163377983217906
          (code B ref 51105); Sat, 09 Oct 2021 11:44:01 +0000
Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 11:43:52 +0000
Received: from localhost ([127.0.0.1]:52408 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZAlc-0004ek-Ac
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 07:43:52 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43214)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1mZAlY-0004eR-4q
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 07:43:50 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:52452)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eliz@HIDDEN>)
 id 1mZAlN-0000Ri-9C; Sat, 09 Oct 2021 07:43:39 -0400
Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:1358
 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1mZAlM-0006Nz-Sv; Sat, 09 Oct 2021 07:43:37 -0400
Date: Sat, 09 Oct 2021 14:43:18 +0300
Message-Id: <83v926whih.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
In-Reply-To: <m1r1cu4imr.fsf@HIDDEN> (message from Daniel =?UTF-8?Q?Mart=C3=ADn?= on Sat, 09 Oct 2021 12:06:36 +0200)
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Daniel Martín <mardani29@HIDDEN>
> Cc: 51105 <at> debbugs.gnu.org
> Date: Sat, 09 Oct 2021 12:06:36 +0200
> 
> Now I think that the right thing to do may be to modify nsterm.m, switch
> on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call
> composition_gstring_width to get the glyph metrics.  Function
> composition_gstring_width uses the values from fields s->cmp_from and
> s->cmp_to, and would avoid the buffer overflow:
> 
> (lldb) fr v s->cmp_from
> (int) s->cmp_from = 6
> (lldb) fr v s->cmp_to
> (int) s->cmp_to = 7
> 
> WDYT? I can prepare a patch of this type if you agree.

SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I
know enough about the NS display backend.




Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Alan Third <alan@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 09 Oct 2021 13:58:01 +0000
Resent-Message-ID: <handler.51105.B51105.163378787224985 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Eli Zaretskii <eliz@HIDDEN>
Cc: 51105 <at> debbugs.gnu.org, Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Received: via spool by 51105-submit <at> debbugs.gnu.org id=B51105.163378787224985
          (code B ref 51105); Sat, 09 Oct 2021 13:58:01 +0000
Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 13:57:52 +0000
Received: from localhost ([127.0.0.1]:53895 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZCrI-0006Uv-EP
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 09:57:52 -0400
Received: from outbound.soverin.net ([116.202.126.228]:44975)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alan@HIDDEN>) id 1mZCrG-0006Uf-Cq
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 09:57:51 -0400
Received: from smtp.soverin.net (unknown [10.10.3.24])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (No client certificate requested)
 by outbound.soverin.net (Postfix) with ESMTPS id BDF98E3;
 Sat,  9 Oct 2021 13:57:43 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by
 soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=idiocy.org; s=soverin;
 t=1633787863; bh=O0/uQxuAbBh4S2x5EVcsmwWOz3LnXUdUo14A47hJYgY=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
 b=Qmgz82ghxqCYVWlFuTJ3X12OPLBPL1W2iQRMR3LIg1DVdBbBK8uMGhzivtFciwTr9
 YHgCail/nJR+4ZGJ72taNKN98TZjZEOUduNNpy6YEVcfoAyxETjWd3GmWdqqs1zUd5
 Kp1XQTvfsvq9m0DP+DujlGboNblPIY+ufNEjnaqn56uaE/t3N3U/lt4/XVu8v3hKIn
 bY4232w+k3wQ83y75d+V3CXkkyl41Wo+eSycAxdgUy87n0R4RXUqsOYZRBXmZ7aObX
 Yn6hz3B6bkPrio1uVcJiNGIPfKk0wGFNQuxfuOlclkLId554LF3oBFFDveDtShLYlO
 R0cz4pccw2v3w==
Received: from alan by faroe.holly.idiocy.org with local (Exim 4.95-RC2)
 (envelope-from <alan@HIDDEN>) id 1mZCr6-000Bw0-By;
 Sat, 09 Oct 2021 14:57:40 +0100
Date: Sat, 9 Oct 2021 14:57:40 +0100
From: Alan Third <alan@HIDDEN>
Message-ID: <YWGf1Bc+wFI3cixx@HIDDEN>
Mail-Followup-To: Alan Third <alan@HIDDEN>, Eli Zaretskii <eliz@HIDDEN>,
 Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>,
 51105 <at> debbugs.gnu.org
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <83v926whih.fsf@HIDDEN>
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sat, Oct 09, 2021 at 02:43:18PM +0300, Eli Zaretskii wrote:
> > From: Daniel Martín <mardani29@HIDDEN>
> > Cc: 51105 <at> debbugs.gnu.org
> > Date: Sat, 09 Oct 2021 12:06:36 +0200
> > 
> > Now I think that the right thing to do may be to modify nsterm.m, switch
> > on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call
> > composition_gstring_width to get the glyph metrics.  Function
> > composition_gstring_width uses the values from fields s->cmp_from and
> > s->cmp_to, and would avoid the buffer overflow:
> > 
> > (lldb) fr v s->cmp_from
> > (int) s->cmp_from = 6
> > (lldb) fr v s->cmp_to
> > (int) s->cmp_to = 7
> > 
> > WDYT? I can prepare a patch of this type if you agree.
> 
> SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I
> know enough about the NS display backend.

I don't know much about this part of the code, but it sounds good to
me too.
-- 
Alan Third




Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 09 Oct 2021 19:36:02 +0000
Resent-Message-ID: <handler.51105.B51105.1633808138609 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Alan Third <alan@HIDDEN>
Cc: 51105 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
Received: via spool by 51105-submit <at> debbugs.gnu.org id=B51105.1633808138609
          (code B ref 51105); Sat, 09 Oct 2021 19:36:02 +0000
Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 19:35:38 +0000
Received: from localhost ([127.0.0.1]:54150 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZI8A-00009l-9c
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:35:38 -0400
Received: from sonic314-20.consmr.mail.ir2.yahoo.com ([77.238.177.146]:39046)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZI85-00009V-VY
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:35:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633808128; bh=B633MqT/8968BLrOjq37iCz9d5Y3zJahHivgRdTOdaQ=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=c5S6pijiOqnjWD1u2saCZdT/JIlw5zen6fKHcmvpB/73X6KnybfyvGoROgnTFAkBcFJMVVQ/EOfxwvb8UQt5Lhw0omze4Nob/8Klnrysj1R4PX3wC8JkUy1QANXPx9TY32RUqNIKVKEh/xSX1ZzTFkv+qltXXR/nLm4WyycJOsusn8N1QVkQ7NIVL30NzN5rsY6+Ea1R5kbTcgwbZr/xCcYpMR1KHAnwH9nrvKAN5ZX4Wmk/D2ockXXlCtRSwY78zI00kEotci1egiwx8m8Mb5VAD8ked6nHhFBNkJ14esGNTIH06N39FWgfexxgW9ddX1mmZu1AWoL0C81PjGJ0vA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633808128; bh=m0NSrUOGnsi24lQA4D+g1mZileZUnf8lAWalwfMVS/E=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=RuzGO74SK2eYo9X9MeQUnqxMgwBLTDEyN/01+iq9vW4xCO3eYgn/NwlS48zpj0GPDY9varltV8aMhjmjS/G2Topf8d34V07MJ5X0AW9U0+DrqWdef6cTde49PJer4+jLwFV113nsQvAEISnCC0pRrzbvi3g3JEjTH8YARasVwKWGJd7nbbtVcj+Yut4nYOcZuqyhiSjaKHh4X4nLj/CSlsBxuU0NE3ohL1WWXnA7LAIPWOomfZC2pHGROyT2rnnp4AuTSxefENiBCoc6g4XLJUWUSvDXcA4nmJjadkALu9gD9YSHO5/RzyXJE/7h1RHXDuA2p+1XaHR0xmqyTTAdGA==
X-YMail-OSG: GFLsVwAVM1l0DYSFOiJoPYzAttUv1A5UmoXb3H1GtMTD.q7i7IpBAM0qas7O_2R
 llbY2PzZUpWl2cYAqe1DxdneicWP_BLtfClTJHkq42TLA4mDjUUQ90LnUSc_WxYVK12CsMNbVu.4
 HoYFK1OrnxB097eM3WwL9zbq0eDDkc6Fxeo1g7glQAWchaDJRcyQWAAzYRpy9ZHm6_dea4oj4TS4
 saQtJ4bU1oGssj0d7vBEl4bfqdAmjxcFRKFCEgrJN3_mk0hldA9SJnv_euHzjBYcfoaPse6S.lug
 WyMxGqTZeANnjdp26UTIYkPUpDbOQ1K1DlWGQbi89a8_6CvjhczKNKi5.RfVPGWQL6Dm3GpLd4We
 uUDGzWF5AtO9kdqALlwMiaesQKAjw4IHl9_AZQbTu8gH2wjKJ8bXX0wcHBjrzs4lCYfbVo8DBxlQ
 akotZRRuxqiLZvQJTs.U_PGyjkzGbuRd4zKe_x3jEg7mOsrD8MwlJvMfkOpSQZ1.PqARX7oCAg2N
 hlVdDh6NT3.thr_I8Apmf3L2R4UNXWH_LnMEk4rTklO.j4fWwJOmjpTngdIZ4utuZVJ5m9qPsrI.
 iQ98ZRIZIqKmtgnFJysbCbI7UiYJ3QhwsfR4B4DDLMbsu03u_La5BaURDiy0SNda15ttL6wCF87i
 _VBC2.mGMqfgEOQXuq3uq1.db3cGFRXyGGoHktd55IYmndERnBsUxUi9acsXrj51vsJ2.y1ZMAVm
 wXlh9IJGJ868GPBokzgzeV3GhNxjen6l2H4m5qBDfz_ZJf1f_Lab6uRcNugLdaj50lv_0PWTwOUi
 MSfs7gyplnV1lM2C3EHbFVWJPaX4yoc7PAwDMSU3cN6AU65WfKSW_veO1DalAxojWsxyxl.jqNRK
 27QxhsjlD7jaFfwKr8hRCv1euZkSNBaMe5LrKBGgDuKy8RN_6e8_ukp78tGEcfVetXEeUvitGm6j
 Bkr5vCgRNHLXk9TbN5HzPhq.FWWcZyJAKlGzWiPS6JjYGGv7rvUKG9ntgLMV47hfCHwR0G0V9IDK
 Cn.ze_gdGJ527QNvV8WPWYffzDxrpOd8jezn19s0tcYbHTcaciACkuolsIVmvtI_9QIW.9G1dWTe
 muusxCMF1vx_gfLlbfQbPd6faHUqN9NVUeLAJfpSdPcA2ffApTO1vH31kGGHupELYbwrQ9xJpXoY
 kQlawSixvMrj2l35u14i4bwmqBpo0pVU6iMJGO70bHAWi_hYUV0RvhcaixebzxFn7f5AX_31HHjS
 LRv8JDUkOq9WesgMH01QhkVC0C0WIZpDzzXkHa3ZgWEj7WvXWhMe1dCCuYdJUUlQepRK1WT5CkAC
 BQScMsydvRU_Tt1eGy1iyZqWalXmaJ8Av6PWWYVjJSPSUkqANP9a3gesh1HkNjeP24mNNzDm6Fms
 uJ9WJxbozCQ0QzYaiQ5e6smDhRkrZSEpeinOAQjEgd6nPxeeZC_pMYPkTkrBF8UIzMxryJR8hlp2
 EhbeCxiHNwmxx1MSR2U4etykO8gPP1fDlj40mmJIjMXGlkqtEW0Zo8.HHakgCB0xvknKGDTm4hYr
 yowzuZvEH0YVsFAXVLNxyCkVu2ZvnRB8VfauwK0lfs0XvgyugT_W0vQUXTRqFuAT7GM3Vzma_DGb
 ePyQCTwoeny0PukYchK5ZdhIQ.KFABYVci6mq3m4d_0dnDniQUSk.wrq7qBpp1vwTZZ2HVI5q_r3
 8KtBqyWB1uIyG7_7Mk5gglq8BbKLNHharjqWCdBJoVvmSTAKkYD4fFb6eoqP48TBLQrL9FF67rKr
 HWHMuZx1EEQKIV5F5ay7U4nAPtZmeDLwW_qq1AZw6yqr..I3cT.3wazYvrLSXoov7RVknMPZmp7B
 GSuK4lkjUD9AiWVYwAtgOZ3yvPE93dUWp8uNoQykF7opLCOovUI5EmkqckGklrOKx9B_i90nNvnF
 R7JlJu6R3G7sXLxRQ7ak12N3FjB.0JlIesD9Og3B1DBhC.FyC2XmHfIPzbFoG4B_n.C3f4HbN5Cv
 4Cc0nex_CvhMfryT8X7xNmz2lRdAey4NpJs0Nsulkhdau_f.2Gg7Bx8haD075OAdbWHHF0OyVToJ
 xgDbkwUxjw4_gTdjiGHa65rycXlXErEC3bGiu6eNIwPQ5H4ssoVJlnzecC1E8IF6vtZb2rmu_93j
 y1hE0x6QGQXiiPg7ai5C01VZAL020_Z9Tp8KAp6PDEnbnnRIhOXC6ZzDdj0jNnClfQV25qf_7CNC
 SaqcnQSJnmpU-
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic314.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:35:28 +0000
Received: by kubenode521.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID c005fc59c7ded80b59c22b633a87c38d; 
 Sat, 09 Oct 2021 19:35:23 +0000 (UTC)
From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN> <YWGf1Bc+wFI3cixx@HIDDEN>
Date: Sat, 09 Oct 2021 21:35:22 +0200
In-Reply-To: <YWGf1Bc+wFI3cixx@HIDDEN> (Alan Third's message of "Sat, 9
 Oct 2021 14:57:40 +0100")
Message-ID: <m1a6jirnyd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 3951
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Alan Third <alan@HIDDEN> writes:

> On Sat, Oct 09, 2021 at 02:43:18PM +0300, Eli Zaretskii wrote:
>> > From: Daniel Mart=C3=ADn <mardani29@HIDDEN>
>> > Cc: 51105 <at> debbugs.gnu.org
>> > Date: Sat, 09 Oct 2021 12:06:36 +0200
>> >=20
>> > Now I think that the right thing to do may be to modify nsterm.m, swit=
ch
>> > on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call
>> > composition_gstring_width to get the glyph metrics.  Function
>> > composition_gstring_width uses the values from fields s->cmp_from and
>> > s->cmp_to, and would avoid the buffer overflow:
>> >=20
>> > (lldb) fr v s->cmp_from
>> > (int) s->cmp_from =3D 6
>> > (lldb) fr v s->cmp_to
>> > (int) s->cmp_to =3D 7
>> >=20
>> > WDYT? I can prepare a patch of this type if you agree.
>>=20
>> SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I
>> know enough about the NS display backend.
>
> I don't know much about this part of the code, but it sounds good to
> me too.

A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8=
=B9=D8=B1=D8=A8=D9=8A=D8=A9" in the
*scratch* buffer.

I've attached a patch that fixes the issue.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch

From 23897a25d7ddebc06ab855058d36a5e291e5cba3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= <mardani29@HIDDEN>
Date: Sat, 9 Oct 2021 21:10:20 +0200
Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs

* src/nsterm.m (ns_compute_glyph_string_overhangs): When the first
glyph of a glyph string is a composite glyph, `s->nchars' is 0, so
"s->char2b + s->nchars - 1" dereferenced a position before buffer
`s->char2b'.  Instead, rewrite part of the function to distinguish
between character glyphs and composite glyphs.  For character glyphs,
calculate the font metrics using the `text_extents' function, passing
it the entire glyph string; for composite glyphs, call
`composition_gstring_width'. (Bug#51105)
---
 src/nsterm.m | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..e616766ec7 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2848,20 +2848,27 @@ Hide the window (X11 semantics)
      External (RIF); compute left/right overhang of whole string and set in s
    -------------------------------------------------------------------------- */
 {
-  struct font *font = s->font;
-
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
-      s->left_overhang = -metrics.lbearing;
-      s->right_overhang
-	= metrics.rbearing > metrics.width
-	? metrics.rbearing - metrics.width : 0;
+      if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p)
+        {
+          struct font *font = s->font;
+          font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
+          s->left_overhang = -metrics.lbearing;
+          s->right_overhang
+            = metrics.rbearing > metrics.width
+            ? metrics.rbearing - metrics.width : 0;
+        }
+      else if (s->first_glyph->type == COMPOSITE_GLYPH)
+        {
+          Lisp_Object gstring = composition_gstring_from_id (s->cmp_id);
+
+	  composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics);
+	  s->right_overhang = (metrics.rbearing > metrics.width
+			       ? metrics.rbearing - metrics.width : 0);
+	  s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0;
+        }
     }
   else
     {
-- 
2.31.0


--=-=-=
Content-Type: text/plain


Let me know if you like it and please install it on my behalf if so.
Thanks.


--=-=-=--




Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 09 Oct 2021 19:43:02 +0000
Resent-Message-ID: <handler.51105.B.16338085311266 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: 51105 <at> debbugs.gnu.org
Cc: alan@HIDDEN, eliz@HIDDEN
X-Debbugs-Original-To: Daniel =?UTF-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN>
X-Debbugs-Original-Cc: 51105 <at> debbugs.gnu.org, Alan Third <alan@HIDDEN>, Eli Zaretskii <eliz@HIDDEN>
Received: via spool by submit <at> debbugs.gnu.org id=B.16338085311266
          (code B ref -1); Sat, 09 Oct 2021 19:43:02 +0000
Received: (at submit) by debbugs.gnu.org; 9 Oct 2021 19:42:11 +0000
Received: from localhost ([127.0.0.1]:54167 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZIEU-0000KF-NX
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:42:11 -0400
Received: from lists.gnu.org ([209.51.188.17]:50702)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZIEQ-0000Jy-B6
 for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:42:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58364)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mardani29@HIDDEN>)
 id 1mZIEP-0005Zd-CT
 for bug-gnu-emacs@HIDDEN; Sat, 09 Oct 2021 15:42:06 -0400
Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:40389)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <mardani29@HIDDEN>)
 id 1mZIEN-0001Iw-LP
 for bug-gnu-emacs@HIDDEN; Sat, 09 Oct 2021 15:42:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633808520; bh=mezjEi0afG9ZiSQCT0OnaZHP+WCx7HUW+DkylDmTZTo=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=L6FuRCiLqavcbYOuU48bPa2xI4BUMavz9XZRXuNcX81W7pyqCYbwb7uojTiUeren3rg8mJnEGrygFiPWrYQLVe42bBhuppRgvvLk1btTXUow5UKnhu4nGLwnwP/5eRU7ZtuoKY46BnLyCYmvHjHuz0Kou0Z8DXrBPt/U9ilaD9Rg5VFVXqaWeURs/1yu14h2wfImXoKQJBdQ3kXfb4BO62h0YrtCOVQONzyRLTSO8b01ZrT+6xfWBpjKk5gp0JpL1M9iHMi3mIBg3XFVQOnmBFd7UyYw/LZOaSQq6754uvMMMN1yfao666IZf96sg5Q4z33cZYbbV3gvE7TCgKRWKg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633808520; bh=ed4ZOroqiGuGfZhzENx38+9ISvQLofAjoRmf+wMwS6K=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=XRX5ygT3mGQcHXhCqEAqLWDxlguztggl6QSoBNYWM/VP3WactZjdrYXRKgUQJwj3mwgX/XRSVj5H66DrvtsjuklIZVmEzEm6ONc+FpGlFvxeIiQw9b15mI/oYYBQKSkZzPeGRPv4JuC/wn0eo1B5hb0OPInP4MZSkTcNYRwdYeIHu/pz6McFO2ps5CfjabTHRe0SX97b+Q4g8xVMFRtoa4JBlLyxUFDis8Q5JRAW7sHERW7m9vksz5P5p/KePDeYXr9xCbY9jqr8oPy46u7wBnDSIO8cOeorj6HZumlWt0Cc5gjuSSUSLnAIjEea1orl9qFgG5gWBxSkcXighOUhdQ==
X-YMail-OSG: F3RXCQcVM1n_hkojpfDDzBJ5XDrlqe3WJSJ8ym8cOLN8O6HCZY8XR4TkNE1JpwO
 8mmetAi_RFwN6_41bC78ocJBZud6Z2hvNjQik.l.8SWLHoRafksGFJCaCkN3RGMVfK9uNf_hJc6t
 JPUsh8ItV.4xsMw5sqJVuSxlbHKdDfROfq9s_fW6JiW6iFFc5KCzb4v9N191OJVyjIyl3Rj2zpjP
 QouhHc5Jnbkjcr4xj1v2bjnvizW8mngKDLvsO39WJQchkHP_onK2SmMFF12AiAe3iZHjXsSp2iAR
 jBlFwMKoB4QKkpJVv_bPKAIrbPllhfoz7PZG_D9okzqAOwViMgzODg8G6o5PTppL6Q5eAorOHumN
 i8Fa6jJqCnLvxYRQMAoOd4o4m0u.2Nvw_JQPhDGu7h6xfSO4q53WPNYhZw1rHV3qp7rwzMWl1EjW
 9BvqH3uwQoO4XRp7Zf.NgzD6flUJTTlvMDen_0hPrufk2m_i_gqrW7ji0CUH9_PTae.26AGACXv8
 xW5ALl7tRUi6LmSmTRLn6lyaAku2ULKxErgz9HHwXDGFDqsHllnfQQydnePS94jWMoEKtpJ6.ziH
 EhVso_FV2NH4kriyTMe90_IWRwePnM1HNadlKf_CwjdXRIuFxHJOqWwhL6NTQ.xbydEyE7kcelQl
 VanwfxTTmc6B8iAWqmivacykRVuBC3yyHuznqN8ziHDnLSb8VNrMkz3QVyqjnadeTqtSOlwQLZlV
 uWp_NePacXTg6L3mRjMwEWmdiR8HzDzB5AeGZKqdAFMAxi.0SHXYOFCVD73XcIwsdZbX2rSrK6b0
 AcTe4HfFhn_r7uYXAnX_n4G2y7vX_0CLudm2HIZngVfo5xiKKfK4WrRywdqD3kxbTRv3T6OfF.9m
 cm8EzXxTNzIIeLnOSvGym1kBycjlGNatWxHieFYhJlSXARaAHPHfBWfIHsZp7Xluu3AnyxQQLTQM
 Wg6ODpjMpWyHmGCc5ZudRnBKgv.tVjCaI4EVmIgPaz4hT2dnlRPAdxf7hLGAvGIKRMdVCSsM2xr7
 I9Lk2kH.Vh.jAfJk6Aiuc.v3rMl0kKLGZRUzvaWR1_rTOQ_FTQPPqkbW13IqWq_2NXj1GyCH06HV
 MFJKO0wrPHWcu.ZMxR4S0vPJwV9oXLwaQMin4j2bkFpvsRp5l7XBnpeTNnByoH9N_iXUFvg6qdTK
 3J3W4Gng3GR4Y29EuU0kZMCMSJDi_BljMyeLIU8IzZtS8ua1TkREMIXtLfbFZrMmG46U6JsAmWDy
 4wH_A.ceHi7.3uHDVelNDNnGMooMSmvrtuaAly8aPTc6xeiYpMx0uh9nktyvU7flFQXelQ03DSTf
 hIxhocMZ.pTXWrd0eOHKQI3zWiP.wYTXqxIHi4X4s_JTQTG3jLw5r.QpHlqrPywwy2bFqruv.2fM
 ap54XIQDbbqlk6SPCLgn5UmPysJJIAAfYhn0pFNkyN62iiCinP3M7hWPLND3JBSl5chSzLkyUy_0
 HL34KaKQC.mSIH6DT8WCy45mOuYUKhsQy7_kZVJxRKniJEWqzK3XSc5xoxB7NQG9S5w8hcAAkz3k
 ZOtrrI1ho7vxs9xi75TizEoxJQ_mOTuSpDWtTolAmycB9psV6OABs2bGWSV8KQIS5IkuIL75pRXI
 gsQ6ofrfPr8cDsj0pRS2hvxijcx02E5uPMwvJnd1ERKNPIyRqe6_CApjulQm6HDyuTIASqqESkpt
 pJoIdp5k.5FNwEWSFFm34kf0Rxcz7fCmuGnQI3lD8CIhWZ7wg0h1c4WJy0T1NC6idCAZzPbtPocV
 bDvmQU23Jg3HCXVJI98qyMjNs46zFEfrPxVR9CP3UyspW8h7rD2f5tNmI65pCmRaC4cjD_CIMvkT
 nQo5Vj._mEy6Kv6X9FEPG46_ZQa3ChyTdvQUqhuZhJtKzbVryOLx01UgGszUk3LC6rl1mZYVQYKO
 ib99sQ4k06NTqZzS9hPRGoJOdf3w.1gmzb6okp8vBAdXR_bV9jCuB7.ay7POehlKbY7gErqpbvb3
 IiZD2Gk.oH4kpQxC6wR0H_UUfFoSQpAlH_.x29Gh658YnMjUg46ZTNysnah7Be1jpF_vQsIQGKn5
 scbdasI3EyBU0ZuXmR44zcXQVe8rSjsdyDgMegKkDxpMOOiVU6EQVMVtKLsKnLJEkUqiBqVfe.da
 mY5U28qpYAF7y3.8kWuQxFYTMMxcTT.wo3a1k1Sl26_wJuVOHgAEK5SsAqAT2PBznZL09B2xuKXh
 C1qt5D684p7iMug--
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:42:00 +0000
Received: by kubenode534.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 8407a3ebbcb93664e4a88831d1761cc0; 
 Sat, 09 Oct 2021 19:41:58 +0000 (UTC)
From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN> <YWGf1Bc+wFI3cixx@HIDDEN>
 <m1a6jirnyd.fsf@HIDDEN>
Date: Sat, 09 Oct 2021 21:41:57 +0200
In-Reply-To: <m1a6jirnyd.fsf@HIDDEN> ("Daniel =?UTF-8?Q?Mart=C3=ADn?= via
 \"Bug reports for
 GNU Emacs, the Swiss army knife of text editors\""'s message of "Sat,
 09 Oct 2021 21:35:22 +0200")
Message-ID: <m1o87yq92y.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 3208
Received-SPF: pass client-ip=77.238.179.188; envelope-from=mardani29@HIDDEN;
 helo=sonic313-21.consmr.mail.ir2.yahoo.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Daniel Mart=C3=ADn via "Bug reports for GNU Emacs, the Swiss army knife of
text editors" <bug-gnu-emacs@HIDDEN> writes:

>
> A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8=
=B9=D8=B1=D8=A8=D9=8A=D8=A9" in the
> *scratch* buffer.
>
> I've attached a patch that fixes the issue.
>
>
>
> Let me know if you like it and please install it on my behalf if so.
> Thanks.

Sorry, there was an indentation problem in the previous patch.  Here's
an updated one.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch

From 1f64cf0bb78b77570d60f70c2e2342c2293a5ffb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= <mardani29@HIDDEN>
Date: Sat, 9 Oct 2021 21:10:20 +0200
Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs

* src/nsterm.m (ns_compute_glyph_string_overhangs): When the first
glyph of a glyph string is a composite glyph, `s->nchars' is 0, so
"s->char2b + s->nchars - 1" dereferenced a position before buffer
`s->char2b'.  Instead, rewrite part of the function to distinguish
between character glyphs and composite glyphs.  For character glyphs,
calculate the font metrics using the `text_extents' function, passing
it the entire glyph string; for composite glyphs, call
`composition_gstring_width'. (Bug#51105)
---
 src/nsterm.m | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..e8e08640c6 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2848,20 +2848,27 @@ Hide the window (X11 semantics)
      External (RIF); compute left/right overhang of whole string and set in s
    -------------------------------------------------------------------------- */
 {
-  struct font *font = s->font;
-
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
-      s->left_overhang = -metrics.lbearing;
-      s->right_overhang
-	= metrics.rbearing > metrics.width
-	? metrics.rbearing - metrics.width : 0;
+      if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p)
+        {
+          struct font *font = s->font;
+          font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
+          s->left_overhang = -metrics.lbearing;
+          s->right_overhang
+            = metrics.rbearing > metrics.width
+            ? metrics.rbearing - metrics.width : 0;
+        }
+      else if (s->first_glyph->type == COMPOSITE_GLYPH)
+        {
+          Lisp_Object gstring = composition_gstring_from_id (s->cmp_id);
+
+          composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics);
+          s->right_overhang = (metrics.rbearing > metrics.width
+                               ? metrics.rbearing - metrics.width : 0);
+          s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0;
+        }
     }
   else
     {
-- 
2.31.0


--=-=-=--




Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 09 Oct 2021 19:43:02 +0000
Resent-Message-ID: <handler.51105.B51105.16338085301258 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: 51105 <at> debbugs.gnu.org
Cc: alan@HIDDEN, eliz@HIDDEN
X-Debbugs-Original-To: Daniel =?UTF-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN>
X-Debbugs-Original-Cc: 51105 <at> debbugs.gnu.org, Alan Third <alan@HIDDEN>, Eli Zaretskii <eliz@HIDDEN>
Received: via spool by 51105-submit <at> debbugs.gnu.org id=B51105.16338085301258
          (code B ref 51105); Sat, 09 Oct 2021 19:43:02 +0000
Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 19:42:10 +0000
Received: from localhost ([127.0.0.1]:54165 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZIEU-0000KD-C0
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:42:10 -0400
Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:41419)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZIEQ-0000Jb-BI
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:42:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633808520; bh=mezjEi0afG9ZiSQCT0OnaZHP+WCx7HUW+DkylDmTZTo=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=L6FuRCiLqavcbYOuU48bPa2xI4BUMavz9XZRXuNcX81W7pyqCYbwb7uojTiUeren3rg8mJnEGrygFiPWrYQLVe42bBhuppRgvvLk1btTXUow5UKnhu4nGLwnwP/5eRU7ZtuoKY46BnLyCYmvHjHuz0Kou0Z8DXrBPt/U9ilaD9Rg5VFVXqaWeURs/1yu14h2wfImXoKQJBdQ3kXfb4BO62h0YrtCOVQONzyRLTSO8b01ZrT+6xfWBpjKk5gp0JpL1M9iHMi3mIBg3XFVQOnmBFd7UyYw/LZOaSQq6754uvMMMN1yfao666IZf96sg5Q4z33cZYbbV3gvE7TCgKRWKg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633808520; bh=ed4ZOroqiGuGfZhzENx38+9ISvQLofAjoRmf+wMwS6K=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=XRX5ygT3mGQcHXhCqEAqLWDxlguztggl6QSoBNYWM/VP3WactZjdrYXRKgUQJwj3mwgX/XRSVj5H66DrvtsjuklIZVmEzEm6ONc+FpGlFvxeIiQw9b15mI/oYYBQKSkZzPeGRPv4JuC/wn0eo1B5hb0OPInP4MZSkTcNYRwdYeIHu/pz6McFO2ps5CfjabTHRe0SX97b+Q4g8xVMFRtoa4JBlLyxUFDis8Q5JRAW7sHERW7m9vksz5P5p/KePDeYXr9xCbY9jqr8oPy46u7wBnDSIO8cOeorj6HZumlWt0Cc5gjuSSUSLnAIjEea1orl9qFgG5gWBxSkcXighOUhdQ==
X-YMail-OSG: F3RXCQcVM1n_hkojpfDDzBJ5XDrlqe3WJSJ8ym8cOLN8O6HCZY8XR4TkNE1JpwO
 8mmetAi_RFwN6_41bC78ocJBZud6Z2hvNjQik.l.8SWLHoRafksGFJCaCkN3RGMVfK9uNf_hJc6t
 JPUsh8ItV.4xsMw5sqJVuSxlbHKdDfROfq9s_fW6JiW6iFFc5KCzb4v9N191OJVyjIyl3Rj2zpjP
 QouhHc5Jnbkjcr4xj1v2bjnvizW8mngKDLvsO39WJQchkHP_onK2SmMFF12AiAe3iZHjXsSp2iAR
 jBlFwMKoB4QKkpJVv_bPKAIrbPllhfoz7PZG_D9okzqAOwViMgzODg8G6o5PTppL6Q5eAorOHumN
 i8Fa6jJqCnLvxYRQMAoOd4o4m0u.2Nvw_JQPhDGu7h6xfSO4q53WPNYhZw1rHV3qp7rwzMWl1EjW
 9BvqH3uwQoO4XRp7Zf.NgzD6flUJTTlvMDen_0hPrufk2m_i_gqrW7ji0CUH9_PTae.26AGACXv8
 xW5ALl7tRUi6LmSmTRLn6lyaAku2ULKxErgz9HHwXDGFDqsHllnfQQydnePS94jWMoEKtpJ6.ziH
 EhVso_FV2NH4kriyTMe90_IWRwePnM1HNadlKf_CwjdXRIuFxHJOqWwhL6NTQ.xbydEyE7kcelQl
 VanwfxTTmc6B8iAWqmivacykRVuBC3yyHuznqN8ziHDnLSb8VNrMkz3QVyqjnadeTqtSOlwQLZlV
 uWp_NePacXTg6L3mRjMwEWmdiR8HzDzB5AeGZKqdAFMAxi.0SHXYOFCVD73XcIwsdZbX2rSrK6b0
 AcTe4HfFhn_r7uYXAnX_n4G2y7vX_0CLudm2HIZngVfo5xiKKfK4WrRywdqD3kxbTRv3T6OfF.9m
 cm8EzXxTNzIIeLnOSvGym1kBycjlGNatWxHieFYhJlSXARaAHPHfBWfIHsZp7Xluu3AnyxQQLTQM
 Wg6ODpjMpWyHmGCc5ZudRnBKgv.tVjCaI4EVmIgPaz4hT2dnlRPAdxf7hLGAvGIKRMdVCSsM2xr7
 I9Lk2kH.Vh.jAfJk6Aiuc.v3rMl0kKLGZRUzvaWR1_rTOQ_FTQPPqkbW13IqWq_2NXj1GyCH06HV
 MFJKO0wrPHWcu.ZMxR4S0vPJwV9oXLwaQMin4j2bkFpvsRp5l7XBnpeTNnByoH9N_iXUFvg6qdTK
 3J3W4Gng3GR4Y29EuU0kZMCMSJDi_BljMyeLIU8IzZtS8ua1TkREMIXtLfbFZrMmG46U6JsAmWDy
 4wH_A.ceHi7.3uHDVelNDNnGMooMSmvrtuaAly8aPTc6xeiYpMx0uh9nktyvU7flFQXelQ03DSTf
 hIxhocMZ.pTXWrd0eOHKQI3zWiP.wYTXqxIHi4X4s_JTQTG3jLw5r.QpHlqrPywwy2bFqruv.2fM
 ap54XIQDbbqlk6SPCLgn5UmPysJJIAAfYhn0pFNkyN62iiCinP3M7hWPLND3JBSl5chSzLkyUy_0
 HL34KaKQC.mSIH6DT8WCy45mOuYUKhsQy7_kZVJxRKniJEWqzK3XSc5xoxB7NQG9S5w8hcAAkz3k
 ZOtrrI1ho7vxs9xi75TizEoxJQ_mOTuSpDWtTolAmycB9psV6OABs2bGWSV8KQIS5IkuIL75pRXI
 gsQ6ofrfPr8cDsj0pRS2hvxijcx02E5uPMwvJnd1ERKNPIyRqe6_CApjulQm6HDyuTIASqqESkpt
 pJoIdp5k.5FNwEWSFFm34kf0Rxcz7fCmuGnQI3lD8CIhWZ7wg0h1c4WJy0T1NC6idCAZzPbtPocV
 bDvmQU23Jg3HCXVJI98qyMjNs46zFEfrPxVR9CP3UyspW8h7rD2f5tNmI65pCmRaC4cjD_CIMvkT
 nQo5Vj._mEy6Kv6X9FEPG46_ZQa3ChyTdvQUqhuZhJtKzbVryOLx01UgGszUk3LC6rl1mZYVQYKO
 ib99sQ4k06NTqZzS9hPRGoJOdf3w.1gmzb6okp8vBAdXR_bV9jCuB7.ay7POehlKbY7gErqpbvb3
 IiZD2Gk.oH4kpQxC6wR0H_UUfFoSQpAlH_.x29Gh658YnMjUg46ZTNysnah7Be1jpF_vQsIQGKn5
 scbdasI3EyBU0ZuXmR44zcXQVe8rSjsdyDgMegKkDxpMOOiVU6EQVMVtKLsKnLJEkUqiBqVfe.da
 mY5U28qpYAF7y3.8kWuQxFYTMMxcTT.wo3a1k1Sl26_wJuVOHgAEK5SsAqAT2PBznZL09B2xuKXh
 C1qt5D684p7iMug--
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:42:00 +0000
Received: by kubenode534.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 8407a3ebbcb93664e4a88831d1761cc0; 
 Sat, 09 Oct 2021 19:41:58 +0000 (UTC)
From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN> <YWGf1Bc+wFI3cixx@HIDDEN>
 <m1a6jirnyd.fsf@HIDDEN>
Date: Sat, 09 Oct 2021 21:41:57 +0200
In-Reply-To: <m1a6jirnyd.fsf@HIDDEN> ("Daniel =?UTF-8?Q?Mart=C3=ADn?= via
 \"Bug reports for
 GNU Emacs, the Swiss army knife of text editors\""'s message of "Sat,
 09 Oct 2021 21:35:22 +0200")
Message-ID: <m1o87yq92y.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 3208
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Daniel Mart=C3=ADn via "Bug reports for GNU Emacs, the Swiss army knife of
text editors" <bug-gnu-emacs@HIDDEN> writes:

>
> A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8=
=B9=D8=B1=D8=A8=D9=8A=D8=A9" in the
> *scratch* buffer.
>
> I've attached a patch that fixes the issue.
>
>
>
> Let me know if you like it and please install it on my behalf if so.
> Thanks.

Sorry, there was an indentation problem in the previous patch.  Here's
an updated one.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch

From 1f64cf0bb78b77570d60f70c2e2342c2293a5ffb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= <mardani29@HIDDEN>
Date: Sat, 9 Oct 2021 21:10:20 +0200
Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs

* src/nsterm.m (ns_compute_glyph_string_overhangs): When the first
glyph of a glyph string is a composite glyph, `s->nchars' is 0, so
"s->char2b + s->nchars - 1" dereferenced a position before buffer
`s->char2b'.  Instead, rewrite part of the function to distinguish
between character glyphs and composite glyphs.  For character glyphs,
calculate the font metrics using the `text_extents' function, passing
it the entire glyph string; for composite glyphs, call
`composition_gstring_width'. (Bug#51105)
---
 src/nsterm.m | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..e8e08640c6 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2848,20 +2848,27 @@ Hide the window (X11 semantics)
      External (RIF); compute left/right overhang of whole string and set in s
    -------------------------------------------------------------------------- */
 {
-  struct font *font = s->font;
-
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
-      s->left_overhang = -metrics.lbearing;
-      s->right_overhang
-	= metrics.rbearing > metrics.width
-	? metrics.rbearing - metrics.width : 0;
+      if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p)
+        {
+          struct font *font = s->font;
+          font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
+          s->left_overhang = -metrics.lbearing;
+          s->right_overhang
+            = metrics.rbearing > metrics.width
+            ? metrics.rbearing - metrics.width : 0;
+        }
+      else if (s->first_glyph->type == COMPOSITE_GLYPH)
+        {
+          Lisp_Object gstring = composition_gstring_from_id (s->cmp_id);
+
+          composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics);
+          s->right_overhang = (metrics.rbearing > metrics.width
+                               ? metrics.rbearing - metrics.width : 0);
+          s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0;
+        }
     }
   else
     {
-- 
2.31.0


--=-=-=--




Message received at control <at> debbugs.gnu.org:


Received: (at control) by debbugs.gnu.org; 11 Oct 2021 14:18:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 11 10:18:22 2021
Received: from localhost ([127.0.0.1]:60577 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZw8E-0004NO-Ik
	for submit <at> debbugs.gnu.org; Mon, 11 Oct 2021 10:18:22 -0400
Received: from mail-pl1-f178.google.com ([209.85.214.178]:40862)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1mZw8C-0004Mz-UI
 for control <at> debbugs.gnu.org; Mon, 11 Oct 2021 10:18:21 -0400
Received: by mail-pl1-f178.google.com with SMTP id v20so4342057plo.7
 for <control <at> debbugs.gnu.org>; Mon, 11 Oct 2021 07:18:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:mime-version:date:message-id:subject:to;
 bh=SjKRz7ObineQvKorZ8pj57Z0s+AtgY1ueDBl8haSfqQ=;
 b=x5W8yiH936NvhedXhQlbpbVxPYVX5M7vqmYGXMnbQ/eq5qa+uv8FARinJV6HrmCJFM
 9pRVB1w7vwEGeAn8xXJOSCACQdnuStEo+TTPGlAzKmonns/ecte8GzCCC3vIVrE03v+t
 AdzRIc2JOC/Fi6d8a9YkREm8bxSjM61aEU/DR2rEu3t1o2spwdb2SUPL8x3TXLf0nj/U
 4n+svKOEzEQqkzo5cCSXhFCCtVS8WEjN3TOjeJe19PJU8JZO9j/sgrCJrzZ4f5afhAnu
 9ovnw7IsLGIsRCTZJk2t70/XowUNpDW2l/yFsAqt2k/EMYkB5xP3qdt/TtKVPUveDyou
 pi7w==
X-Gm-Message-State: AOAM530+FLD7eE9jx1kT3EQJ5bWo3QrhM/SihOkisAZ5zlP87jIL/Z91
 pA401o5MKnbqdF2foVtBCxdaZQ3KiGVnjDWABRrFeDgNkzk=
X-Google-Smtp-Source: ABdhPJzNlmt+VYTqte38EbwSbv5BD1km+yVuOHTXMa+I2c2s+TCVqZK5SgV7flqFz7CwbX65BJQRmyxl328GHareGhk=
X-Received: by 2002:a17:902:6b07:b0:13e:d5ba:3d8f with SMTP id
 o7-20020a1709026b0700b0013ed5ba3d8fmr24852552plk.32.1633961895147; Mon, 11
 Oct 2021 07:18:15 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 11 Oct 2021 07:18:14 -0700
From: Stefan Kangas <stefan@HIDDEN>
MIME-Version: 1.0
Date: Mon, 11 Oct 2021 07:18:14 -0700
Message-ID: <CADwFkm=tu-5GE=378YCfV__LAmNoSHM0y5WXDYtRLTuo3fCxdg@HIDDEN>
Subject: control message for bug #51105
To: control <at> debbugs.gnu.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.5 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.5 (/)

tags 51105 + patch
quit




Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Resent-From: Lars Ingebrigtsen <larsi@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Fri, 05 Nov 2021 02:40:02 +0000
Resent-Message-ID: <handler.51105.B51105.163607996328369 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
To: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>
Cc: 51105 <at> debbugs.gnu.org, alan@HIDDEN, eliz@HIDDEN
Received: via spool by 51105-submit <at> debbugs.gnu.org id=B51105.163607996328369
          (code B ref 51105); Fri, 05 Nov 2021 02:40:02 +0000
Received: (at 51105) by debbugs.gnu.org; 5 Nov 2021 02:39:23 +0000
Received: from localhost ([127.0.0.1]:44107 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mip8V-0007NQ-FH
	for submit <at> debbugs.gnu.org; Thu, 04 Nov 2021 22:39:23 -0400
Received: from quimby.gnus.org ([95.216.78.240]:34138)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1mip8O-0007N0-VR
 for 51105 <at> debbugs.gnu.org; Thu, 04 Nov 2021 22:39:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
 s=20200322; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID
 :In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=pRfCDIZ+J64hP1tY6T/ptIvsGAq6OvMRud31E6vqNXk=; b=ZkqLgZ9mAWsXVtvRz0d1cgXsZZ
 IkabZ+F1t+K3fLU9MShuDeahYlXEDthdln23lvwOOqEtfKl4NT/cyHYcwWKNLilmT62SfwWyj2hfh
 +v0LHjxPrwJCVbC2mAutVyiYezDHGb5lrjDbNH8D2Q7puGJj4++q2EQ1cuoQqcA4oXJk=;
Received: from [84.212.220.105] (helo=elva)
 by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <larsi@HIDDEN>)
 id 1mip8B-0000HX-81; Fri, 05 Nov 2021 03:39:05 +0100
From: Lars Ingebrigtsen <larsi@HIDDEN>
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN> <YWGf1Bc+wFI3cixx@HIDDEN>
 <m1a6jirnyd.fsf@HIDDEN> <m1o87yq92y.fsf@HIDDEN>
X-Now-Playing: Fire Escape's _Abandon Head_: "Goodbye Archetype"
Date: Fri, 05 Nov 2021 03:39:01 +0100
In-Reply-To: <m1o87yq92y.fsf@HIDDEN> ("Daniel =?UTF-8?Q?Mart=C3=ADn?="'s
 message of "Sat, 09 Oct 2021 21:41:57 +0200")
Message-ID: <8735obnx6i.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 
 Content preview:  Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN> writes: > Sorry, there
    was an indentation problem in the previous patch. Here's > an updated one.
    It seemed like Alan agreed with the fix, and I tested it now on my M1 Apple
    laptop, and it didn't break anything obvious, so I've now pushed Daniel's
    patch to the trunk. 
 
 Content analysis details:   (-2.9 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Daniel Mart=C3=ADn <mardani29@HIDDEN> writes:

> Sorry, there was an indentation problem in the previous patch.  Here's
> an updated one.

It seemed like Alan agreed with the fix, and I tested it now on my M1
Apple laptop, and it didn't break anything obvious, so I've now pushed
Daniel's patch to the trunk.

--=20
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Message received at control <at> debbugs.gnu.org:


Received: (at control) by debbugs.gnu.org; 5 Nov 2021 02:39:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 04 22:39:23 2021
Received: from localhost ([127.0.0.1]:44105 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mip8R-0007NF-JL
	for submit <at> debbugs.gnu.org; Thu, 04 Nov 2021 22:39:23 -0400
Received: from quimby.gnus.org ([95.216.78.240]:34144)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1mip8P-0007N2-Vw
 for control <at> debbugs.gnu.org; Thu, 04 Nov 2021 22:39:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
 s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc:
 MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=dVHgiaFYpubHhHGgaMfTYQ7LTqtCKwdrzyM/BNvi2AY=; b=DptLYusjoJ45ls41T6bzusG8rI
 l8YiO1uQnoIOSvfFe0riyjpwVQU/A5MTAuYJ6DxN6yZ52LhWZ6b3jmd5BuidmFfPUGqRYcGxGbR4P
 XoGEEAhZp0PKHWPee/QkIS370Mi5e5ToL3fAxBr9DzNSzN4t8Lm3+JwPOnBKSPtmYDjs=;
Received: from [84.212.220.105] (helo=elva)
 by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <larsi@HIDDEN>) id 1mip8I-0000Ia-0n
 for control <at> debbugs.gnu.org; Fri, 05 Nov 2021 03:39:12 +0100
Date: Fri, 05 Nov 2021 03:39:09 +0100
Message-Id: <871r3vnx6a.fsf@HIDDEN>
To: control <at> debbugs.gnu.org
From: Lars Ingebrigtsen <larsi@HIDDEN>
Subject: control message for bug #51105
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview:  close 51105 29.1 quit 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

close 51105 29.1
quit






Last modified: Fri, 5 Nov 2021 02:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.