GNU bug report logs - #51105
29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Daniel Martín <mardani29@HIDDEN>; Keywords: patch; dated Sat, 9 Oct 2021 00:31:01 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.
Added tag(s) patch. Request was from Stefan Kangas <stefan@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 51105 <at> debbugs.gnu.org:


Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 19:42:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 09 15:42:10 2021
Received: from localhost ([127.0.0.1]:54165 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZIEU-0000KD-C0
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:42:10 -0400
Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:41419)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZIEQ-0000Jb-BI
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:42:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633808520; bh=mezjEi0afG9ZiSQCT0OnaZHP+WCx7HUW+DkylDmTZTo=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=L6FuRCiLqavcbYOuU48bPa2xI4BUMavz9XZRXuNcX81W7pyqCYbwb7uojTiUeren3rg8mJnEGrygFiPWrYQLVe42bBhuppRgvvLk1btTXUow5UKnhu4nGLwnwP/5eRU7ZtuoKY46BnLyCYmvHjHuz0Kou0Z8DXrBPt/U9ilaD9Rg5VFVXqaWeURs/1yu14h2wfImXoKQJBdQ3kXfb4BO62h0YrtCOVQONzyRLTSO8b01ZrT+6xfWBpjKk5gp0JpL1M9iHMi3mIBg3XFVQOnmBFd7UyYw/LZOaSQq6754uvMMMN1yfao666IZf96sg5Q4z33cZYbbV3gvE7TCgKRWKg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633808520; bh=ed4ZOroqiGuGfZhzENx38+9ISvQLofAjoRmf+wMwS6K=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=XRX5ygT3mGQcHXhCqEAqLWDxlguztggl6QSoBNYWM/VP3WactZjdrYXRKgUQJwj3mwgX/XRSVj5H66DrvtsjuklIZVmEzEm6ONc+FpGlFvxeIiQw9b15mI/oYYBQKSkZzPeGRPv4JuC/wn0eo1B5hb0OPInP4MZSkTcNYRwdYeIHu/pz6McFO2ps5CfjabTHRe0SX97b+Q4g8xVMFRtoa4JBlLyxUFDis8Q5JRAW7sHERW7m9vksz5P5p/KePDeYXr9xCbY9jqr8oPy46u7wBnDSIO8cOeorj6HZumlWt0Cc5gjuSSUSLnAIjEea1orl9qFgG5gWBxSkcXighOUhdQ==
X-YMail-OSG: F3RXCQcVM1n_hkojpfDDzBJ5XDrlqe3WJSJ8ym8cOLN8O6HCZY8XR4TkNE1JpwO
 8mmetAi_RFwN6_41bC78ocJBZud6Z2hvNjQik.l.8SWLHoRafksGFJCaCkN3RGMVfK9uNf_hJc6t
 JPUsh8ItV.4xsMw5sqJVuSxlbHKdDfROfq9s_fW6JiW6iFFc5KCzb4v9N191OJVyjIyl3Rj2zpjP
 QouhHc5Jnbkjcr4xj1v2bjnvizW8mngKDLvsO39WJQchkHP_onK2SmMFF12AiAe3iZHjXsSp2iAR
 jBlFwMKoB4QKkpJVv_bPKAIrbPllhfoz7PZG_D9okzqAOwViMgzODg8G6o5PTppL6Q5eAorOHumN
 i8Fa6jJqCnLvxYRQMAoOd4o4m0u.2Nvw_JQPhDGu7h6xfSO4q53WPNYhZw1rHV3qp7rwzMWl1EjW
 9BvqH3uwQoO4XRp7Zf.NgzD6flUJTTlvMDen_0hPrufk2m_i_gqrW7ji0CUH9_PTae.26AGACXv8
 xW5ALl7tRUi6LmSmTRLn6lyaAku2ULKxErgz9HHwXDGFDqsHllnfQQydnePS94jWMoEKtpJ6.ziH
 EhVso_FV2NH4kriyTMe90_IWRwePnM1HNadlKf_CwjdXRIuFxHJOqWwhL6NTQ.xbydEyE7kcelQl
 VanwfxTTmc6B8iAWqmivacykRVuBC3yyHuznqN8ziHDnLSb8VNrMkz3QVyqjnadeTqtSOlwQLZlV
 uWp_NePacXTg6L3mRjMwEWmdiR8HzDzB5AeGZKqdAFMAxi.0SHXYOFCVD73XcIwsdZbX2rSrK6b0
 AcTe4HfFhn_r7uYXAnX_n4G2y7vX_0CLudm2HIZngVfo5xiKKfK4WrRywdqD3kxbTRv3T6OfF.9m
 cm8EzXxTNzIIeLnOSvGym1kBycjlGNatWxHieFYhJlSXARaAHPHfBWfIHsZp7Xluu3AnyxQQLTQM
 Wg6ODpjMpWyHmGCc5ZudRnBKgv.tVjCaI4EVmIgPaz4hT2dnlRPAdxf7hLGAvGIKRMdVCSsM2xr7
 I9Lk2kH.Vh.jAfJk6Aiuc.v3rMl0kKLGZRUzvaWR1_rTOQ_FTQPPqkbW13IqWq_2NXj1GyCH06HV
 MFJKO0wrPHWcu.ZMxR4S0vPJwV9oXLwaQMin4j2bkFpvsRp5l7XBnpeTNnByoH9N_iXUFvg6qdTK
 3J3W4Gng3GR4Y29EuU0kZMCMSJDi_BljMyeLIU8IzZtS8ua1TkREMIXtLfbFZrMmG46U6JsAmWDy
 4wH_A.ceHi7.3uHDVelNDNnGMooMSmvrtuaAly8aPTc6xeiYpMx0uh9nktyvU7flFQXelQ03DSTf
 hIxhocMZ.pTXWrd0eOHKQI3zWiP.wYTXqxIHi4X4s_JTQTG3jLw5r.QpHlqrPywwy2bFqruv.2fM
 ap54XIQDbbqlk6SPCLgn5UmPysJJIAAfYhn0pFNkyN62iiCinP3M7hWPLND3JBSl5chSzLkyUy_0
 HL34KaKQC.mSIH6DT8WCy45mOuYUKhsQy7_kZVJxRKniJEWqzK3XSc5xoxB7NQG9S5w8hcAAkz3k
 ZOtrrI1ho7vxs9xi75TizEoxJQ_mOTuSpDWtTolAmycB9psV6OABs2bGWSV8KQIS5IkuIL75pRXI
 gsQ6ofrfPr8cDsj0pRS2hvxijcx02E5uPMwvJnd1ERKNPIyRqe6_CApjulQm6HDyuTIASqqESkpt
 pJoIdp5k.5FNwEWSFFm34kf0Rxcz7fCmuGnQI3lD8CIhWZ7wg0h1c4WJy0T1NC6idCAZzPbtPocV
 bDvmQU23Jg3HCXVJI98qyMjNs46zFEfrPxVR9CP3UyspW8h7rD2f5tNmI65pCmRaC4cjD_CIMvkT
 nQo5Vj._mEy6Kv6X9FEPG46_ZQa3ChyTdvQUqhuZhJtKzbVryOLx01UgGszUk3LC6rl1mZYVQYKO
 ib99sQ4k06NTqZzS9hPRGoJOdf3w.1gmzb6okp8vBAdXR_bV9jCuB7.ay7POehlKbY7gErqpbvb3
 IiZD2Gk.oH4kpQxC6wR0H_UUfFoSQpAlH_.x29Gh658YnMjUg46ZTNysnah7Be1jpF_vQsIQGKn5
 scbdasI3EyBU0ZuXmR44zcXQVe8rSjsdyDgMegKkDxpMOOiVU6EQVMVtKLsKnLJEkUqiBqVfe.da
 mY5U28qpYAF7y3.8kWuQxFYTMMxcTT.wo3a1k1Sl26_wJuVOHgAEK5SsAqAT2PBznZL09B2xuKXh
 C1qt5D684p7iMug--
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:42:00 +0000
Received: by kubenode534.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 8407a3ebbcb93664e4a88831d1761cc0; 
 Sat, 09 Oct 2021 19:41:58 +0000 (UTC)
From: =?utf-8?Q?Daniel_Mart=C3=ADn?= <mardani29@HIDDEN>
To: Daniel =?utf-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs, the Swiss
 army knife of text editors" <bug-gnu-emacs@HIDDEN>
Subject: Re: bug#51105: 29.0.50; Buffer overflow bug in
 ns_compute_glyph_string_overhangs
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN> <YWGf1Bc+wFI3cixx@HIDDEN>
 <m1a6jirnyd.fsf@HIDDEN>
Date: Sat, 09 Oct 2021 21:41:57 +0200
In-Reply-To: <m1a6jirnyd.fsf@HIDDEN> ("Daniel =?utf-8?Q?Mart=C3=ADn?= via
 \"Bug reports for
 GNU Emacs, the Swiss army knife of text editors\""'s message of "Sat,
 09 Oct 2021 21:35:22 +0200")
Message-ID: <m1o87yq92y.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 3208
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 51105
Cc: 51105 <at> debbugs.gnu.org, Alan Third <alan@HIDDEN>,
 Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Daniel Mart=C3=ADn via "Bug reports for GNU Emacs, the Swiss army knife of
text editors" <bug-gnu-emacs@HIDDEN> writes:

>
> A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8=
=B9=D8=B1=D8=A8=D9=8A=D8=A9" in the
> *scratch* buffer.
>
> I've attached a patch that fixes the issue.
>
>
>
> Let me know if you like it and please install it on my behalf if so.
> Thanks.

Sorry, there was an indentation problem in the previous patch.  Here's
an updated one.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch

From 1f64cf0bb78b77570d60f70c2e2342c2293a5ffb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= <mardani29@HIDDEN>
Date: Sat, 9 Oct 2021 21:10:20 +0200
Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs

* src/nsterm.m (ns_compute_glyph_string_overhangs): When the first
glyph of a glyph string is a composite glyph, `s->nchars' is 0, so
"s->char2b + s->nchars - 1" dereferenced a position before buffer
`s->char2b'.  Instead, rewrite part of the function to distinguish
between character glyphs and composite glyphs.  For character glyphs,
calculate the font metrics using the `text_extents' function, passing
it the entire glyph string; for composite glyphs, call
`composition_gstring_width'. (Bug#51105)
---
 src/nsterm.m | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..e8e08640c6 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2848,20 +2848,27 @@ Hide the window (X11 semantics)
      External (RIF); compute left/right overhang of whole string and set in s
    -------------------------------------------------------------------------- */
 {
-  struct font *font = s->font;
-
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
-      s->left_overhang = -metrics.lbearing;
-      s->right_overhang
-	= metrics.rbearing > metrics.width
-	? metrics.rbearing - metrics.width : 0;
+      if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p)
+        {
+          struct font *font = s->font;
+          font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
+          s->left_overhang = -metrics.lbearing;
+          s->right_overhang
+            = metrics.rbearing > metrics.width
+            ? metrics.rbearing - metrics.width : 0;
+        }
+      else if (s->first_glyph->type == COMPOSITE_GLYPH)
+        {
+          Lisp_Object gstring = composition_gstring_from_id (s->cmp_id);
+
+          composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics);
+          s->right_overhang = (metrics.rbearing > metrics.width
+                               ? metrics.rbearing - metrics.width : 0);
+          s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0;
+        }
     }
   else
     {
-- 
2.31.0


--=-=-=--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#51105; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 9 Oct 2021 19:42:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 09 15:42:11 2021
Received: from localhost ([127.0.0.1]:54167 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZIEU-0000KF-NX
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:42:11 -0400
Received: from lists.gnu.org ([209.51.188.17]:50702)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZIEQ-0000Jy-B6
 for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:42:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58364)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mardani29@HIDDEN>)
 id 1mZIEP-0005Zd-CT
 for bug-gnu-emacs@HIDDEN; Sat, 09 Oct 2021 15:42:06 -0400
Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:40389)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <mardani29@HIDDEN>)
 id 1mZIEN-0001Iw-LP
 for bug-gnu-emacs@HIDDEN; Sat, 09 Oct 2021 15:42:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633808520; bh=mezjEi0afG9ZiSQCT0OnaZHP+WCx7HUW+DkylDmTZTo=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=L6FuRCiLqavcbYOuU48bPa2xI4BUMavz9XZRXuNcX81W7pyqCYbwb7uojTiUeren3rg8mJnEGrygFiPWrYQLVe42bBhuppRgvvLk1btTXUow5UKnhu4nGLwnwP/5eRU7ZtuoKY46BnLyCYmvHjHuz0Kou0Z8DXrBPt/U9ilaD9Rg5VFVXqaWeURs/1yu14h2wfImXoKQJBdQ3kXfb4BO62h0YrtCOVQONzyRLTSO8b01ZrT+6xfWBpjKk5gp0JpL1M9iHMi3mIBg3XFVQOnmBFd7UyYw/LZOaSQq6754uvMMMN1yfao666IZf96sg5Q4z33cZYbbV3gvE7TCgKRWKg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633808520; bh=ed4ZOroqiGuGfZhzENx38+9ISvQLofAjoRmf+wMwS6K=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=XRX5ygT3mGQcHXhCqEAqLWDxlguztggl6QSoBNYWM/VP3WactZjdrYXRKgUQJwj3mwgX/XRSVj5H66DrvtsjuklIZVmEzEm6ONc+FpGlFvxeIiQw9b15mI/oYYBQKSkZzPeGRPv4JuC/wn0eo1B5hb0OPInP4MZSkTcNYRwdYeIHu/pz6McFO2ps5CfjabTHRe0SX97b+Q4g8xVMFRtoa4JBlLyxUFDis8Q5JRAW7sHERW7m9vksz5P5p/KePDeYXr9xCbY9jqr8oPy46u7wBnDSIO8cOeorj6HZumlWt0Cc5gjuSSUSLnAIjEea1orl9qFgG5gWBxSkcXighOUhdQ==
X-YMail-OSG: F3RXCQcVM1n_hkojpfDDzBJ5XDrlqe3WJSJ8ym8cOLN8O6HCZY8XR4TkNE1JpwO
 8mmetAi_RFwN6_41bC78ocJBZud6Z2hvNjQik.l.8SWLHoRafksGFJCaCkN3RGMVfK9uNf_hJc6t
 JPUsh8ItV.4xsMw5sqJVuSxlbHKdDfROfq9s_fW6JiW6iFFc5KCzb4v9N191OJVyjIyl3Rj2zpjP
 QouhHc5Jnbkjcr4xj1v2bjnvizW8mngKDLvsO39WJQchkHP_onK2SmMFF12AiAe3iZHjXsSp2iAR
 jBlFwMKoB4QKkpJVv_bPKAIrbPllhfoz7PZG_D9okzqAOwViMgzODg8G6o5PTppL6Q5eAorOHumN
 i8Fa6jJqCnLvxYRQMAoOd4o4m0u.2Nvw_JQPhDGu7h6xfSO4q53WPNYhZw1rHV3qp7rwzMWl1EjW
 9BvqH3uwQoO4XRp7Zf.NgzD6flUJTTlvMDen_0hPrufk2m_i_gqrW7ji0CUH9_PTae.26AGACXv8
 xW5ALl7tRUi6LmSmTRLn6lyaAku2ULKxErgz9HHwXDGFDqsHllnfQQydnePS94jWMoEKtpJ6.ziH
 EhVso_FV2NH4kriyTMe90_IWRwePnM1HNadlKf_CwjdXRIuFxHJOqWwhL6NTQ.xbydEyE7kcelQl
 VanwfxTTmc6B8iAWqmivacykRVuBC3yyHuznqN8ziHDnLSb8VNrMkz3QVyqjnadeTqtSOlwQLZlV
 uWp_NePacXTg6L3mRjMwEWmdiR8HzDzB5AeGZKqdAFMAxi.0SHXYOFCVD73XcIwsdZbX2rSrK6b0
 AcTe4HfFhn_r7uYXAnX_n4G2y7vX_0CLudm2HIZngVfo5xiKKfK4WrRywdqD3kxbTRv3T6OfF.9m
 cm8EzXxTNzIIeLnOSvGym1kBycjlGNatWxHieFYhJlSXARaAHPHfBWfIHsZp7Xluu3AnyxQQLTQM
 Wg6ODpjMpWyHmGCc5ZudRnBKgv.tVjCaI4EVmIgPaz4hT2dnlRPAdxf7hLGAvGIKRMdVCSsM2xr7
 I9Lk2kH.Vh.jAfJk6Aiuc.v3rMl0kKLGZRUzvaWR1_rTOQ_FTQPPqkbW13IqWq_2NXj1GyCH06HV
 MFJKO0wrPHWcu.ZMxR4S0vPJwV9oXLwaQMin4j2bkFpvsRp5l7XBnpeTNnByoH9N_iXUFvg6qdTK
 3J3W4Gng3GR4Y29EuU0kZMCMSJDi_BljMyeLIU8IzZtS8ua1TkREMIXtLfbFZrMmG46U6JsAmWDy
 4wH_A.ceHi7.3uHDVelNDNnGMooMSmvrtuaAly8aPTc6xeiYpMx0uh9nktyvU7flFQXelQ03DSTf
 hIxhocMZ.pTXWrd0eOHKQI3zWiP.wYTXqxIHi4X4s_JTQTG3jLw5r.QpHlqrPywwy2bFqruv.2fM
 ap54XIQDbbqlk6SPCLgn5UmPysJJIAAfYhn0pFNkyN62iiCinP3M7hWPLND3JBSl5chSzLkyUy_0
 HL34KaKQC.mSIH6DT8WCy45mOuYUKhsQy7_kZVJxRKniJEWqzK3XSc5xoxB7NQG9S5w8hcAAkz3k
 ZOtrrI1ho7vxs9xi75TizEoxJQ_mOTuSpDWtTolAmycB9psV6OABs2bGWSV8KQIS5IkuIL75pRXI
 gsQ6ofrfPr8cDsj0pRS2hvxijcx02E5uPMwvJnd1ERKNPIyRqe6_CApjulQm6HDyuTIASqqESkpt
 pJoIdp5k.5FNwEWSFFm34kf0Rxcz7fCmuGnQI3lD8CIhWZ7wg0h1c4WJy0T1NC6idCAZzPbtPocV
 bDvmQU23Jg3HCXVJI98qyMjNs46zFEfrPxVR9CP3UyspW8h7rD2f5tNmI65pCmRaC4cjD_CIMvkT
 nQo5Vj._mEy6Kv6X9FEPG46_ZQa3ChyTdvQUqhuZhJtKzbVryOLx01UgGszUk3LC6rl1mZYVQYKO
 ib99sQ4k06NTqZzS9hPRGoJOdf3w.1gmzb6okp8vBAdXR_bV9jCuB7.ay7POehlKbY7gErqpbvb3
 IiZD2Gk.oH4kpQxC6wR0H_UUfFoSQpAlH_.x29Gh658YnMjUg46ZTNysnah7Be1jpF_vQsIQGKn5
 scbdasI3EyBU0ZuXmR44zcXQVe8rSjsdyDgMegKkDxpMOOiVU6EQVMVtKLsKnLJEkUqiBqVfe.da
 mY5U28qpYAF7y3.8kWuQxFYTMMxcTT.wo3a1k1Sl26_wJuVOHgAEK5SsAqAT2PBznZL09B2xuKXh
 C1qt5D684p7iMug--
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:42:00 +0000
Received: by kubenode534.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 8407a3ebbcb93664e4a88831d1761cc0; 
 Sat, 09 Oct 2021 19:41:58 +0000 (UTC)
From: =?utf-8?Q?Daniel_Mart=C3=ADn?= <mardani29@HIDDEN>
To: Daniel =?utf-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs, the Swiss
 army knife of text editors" <bug-gnu-emacs@HIDDEN>
Subject: Re: bug#51105: 29.0.50; Buffer overflow bug in
 ns_compute_glyph_string_overhangs
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN> <YWGf1Bc+wFI3cixx@HIDDEN>
 <m1a6jirnyd.fsf@HIDDEN>
Date: Sat, 09 Oct 2021 21:41:57 +0200
In-Reply-To: <m1a6jirnyd.fsf@HIDDEN> ("Daniel =?utf-8?Q?Mart=C3=ADn?= via
 \"Bug reports for
 GNU Emacs, the Swiss army knife of text editors\""'s message of "Sat,
 09 Oct 2021 21:35:22 +0200")
Message-ID: <m1o87yq92y.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 3208
Received-SPF: pass client-ip=77.238.179.188; envelope-from=mardani29@HIDDEN;
 helo=sonic313-21.consmr.mail.ir2.yahoo.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 51105 <at> debbugs.gnu.org, Alan Third <alan@HIDDEN>,
 Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Daniel Mart=C3=ADn via "Bug reports for GNU Emacs, the Swiss army knife of
text editors" <bug-gnu-emacs@HIDDEN> writes:

>
> A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8=
=B9=D8=B1=D8=A8=D9=8A=D8=A9" in the
> *scratch* buffer.
>
> I've attached a patch that fixes the issue.
>
>
>
> Let me know if you like it and please install it on my behalf if so.
> Thanks.

Sorry, there was an indentation problem in the previous patch.  Here's
an updated one.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch

From 1f64cf0bb78b77570d60f70c2e2342c2293a5ffb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= <mardani29@HIDDEN>
Date: Sat, 9 Oct 2021 21:10:20 +0200
Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs

* src/nsterm.m (ns_compute_glyph_string_overhangs): When the first
glyph of a glyph string is a composite glyph, `s->nchars' is 0, so
"s->char2b + s->nchars - 1" dereferenced a position before buffer
`s->char2b'.  Instead, rewrite part of the function to distinguish
between character glyphs and composite glyphs.  For character glyphs,
calculate the font metrics using the `text_extents' function, passing
it the entire glyph string; for composite glyphs, call
`composition_gstring_width'. (Bug#51105)
---
 src/nsterm.m | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..e8e08640c6 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2848,20 +2848,27 @@ Hide the window (X11 semantics)
      External (RIF); compute left/right overhang of whole string and set in s
    -------------------------------------------------------------------------- */
 {
-  struct font *font = s->font;
-
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
-      s->left_overhang = -metrics.lbearing;
-      s->right_overhang
-	= metrics.rbearing > metrics.width
-	? metrics.rbearing - metrics.width : 0;
+      if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p)
+        {
+          struct font *font = s->font;
+          font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
+          s->left_overhang = -metrics.lbearing;
+          s->right_overhang
+            = metrics.rbearing > metrics.width
+            ? metrics.rbearing - metrics.width : 0;
+        }
+      else if (s->first_glyph->type == COMPOSITE_GLYPH)
+        {
+          Lisp_Object gstring = composition_gstring_from_id (s->cmp_id);
+
+          composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics);
+          s->right_overhang = (metrics.rbearing > metrics.width
+                               ? metrics.rbearing - metrics.width : 0);
+          s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0;
+        }
     }
   else
     {
-- 
2.31.0


--=-=-=--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#51105; Package emacs. Full text available.

Message received at 51105 <at> debbugs.gnu.org:


Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 19:35:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 09 15:35:38 2021
Received: from localhost ([127.0.0.1]:54150 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZI8A-00009l-9c
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:35:38 -0400
Received: from sonic314-20.consmr.mail.ir2.yahoo.com ([77.238.177.146]:39046)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZI85-00009V-VY
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 15:35:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633808128; bh=B633MqT/8968BLrOjq37iCz9d5Y3zJahHivgRdTOdaQ=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=c5S6pijiOqnjWD1u2saCZdT/JIlw5zen6fKHcmvpB/73X6KnybfyvGoROgnTFAkBcFJMVVQ/EOfxwvb8UQt5Lhw0omze4Nob/8Klnrysj1R4PX3wC8JkUy1QANXPx9TY32RUqNIKVKEh/xSX1ZzTFkv+qltXXR/nLm4WyycJOsusn8N1QVkQ7NIVL30NzN5rsY6+Ea1R5kbTcgwbZr/xCcYpMR1KHAnwH9nrvKAN5ZX4Wmk/D2ockXXlCtRSwY78zI00kEotci1egiwx8m8Mb5VAD8ked6nHhFBNkJ14esGNTIH06N39FWgfexxgW9ddX1mmZu1AWoL0C81PjGJ0vA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633808128; bh=m0NSrUOGnsi24lQA4D+g1mZileZUnf8lAWalwfMVS/E=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=RuzGO74SK2eYo9X9MeQUnqxMgwBLTDEyN/01+iq9vW4xCO3eYgn/NwlS48zpj0GPDY9varltV8aMhjmjS/G2Topf8d34V07MJ5X0AW9U0+DrqWdef6cTde49PJer4+jLwFV113nsQvAEISnCC0pRrzbvi3g3JEjTH8YARasVwKWGJd7nbbtVcj+Yut4nYOcZuqyhiSjaKHh4X4nLj/CSlsBxuU0NE3ohL1WWXnA7LAIPWOomfZC2pHGROyT2rnnp4AuTSxefENiBCoc6g4XLJUWUSvDXcA4nmJjadkALu9gD9YSHO5/RzyXJE/7h1RHXDuA2p+1XaHR0xmqyTTAdGA==
X-YMail-OSG: GFLsVwAVM1l0DYSFOiJoPYzAttUv1A5UmoXb3H1GtMTD.q7i7IpBAM0qas7O_2R
 llbY2PzZUpWl2cYAqe1DxdneicWP_BLtfClTJHkq42TLA4mDjUUQ90LnUSc_WxYVK12CsMNbVu.4
 HoYFK1OrnxB097eM3WwL9zbq0eDDkc6Fxeo1g7glQAWchaDJRcyQWAAzYRpy9ZHm6_dea4oj4TS4
 saQtJ4bU1oGssj0d7vBEl4bfqdAmjxcFRKFCEgrJN3_mk0hldA9SJnv_euHzjBYcfoaPse6S.lug
 WyMxGqTZeANnjdp26UTIYkPUpDbOQ1K1DlWGQbi89a8_6CvjhczKNKi5.RfVPGWQL6Dm3GpLd4We
 uUDGzWF5AtO9kdqALlwMiaesQKAjw4IHl9_AZQbTu8gH2wjKJ8bXX0wcHBjrzs4lCYfbVo8DBxlQ
 akotZRRuxqiLZvQJTs.U_PGyjkzGbuRd4zKe_x3jEg7mOsrD8MwlJvMfkOpSQZ1.PqARX7oCAg2N
 hlVdDh6NT3.thr_I8Apmf3L2R4UNXWH_LnMEk4rTklO.j4fWwJOmjpTngdIZ4utuZVJ5m9qPsrI.
 iQ98ZRIZIqKmtgnFJysbCbI7UiYJ3QhwsfR4B4DDLMbsu03u_La5BaURDiy0SNda15ttL6wCF87i
 _VBC2.mGMqfgEOQXuq3uq1.db3cGFRXyGGoHktd55IYmndERnBsUxUi9acsXrj51vsJ2.y1ZMAVm
 wXlh9IJGJ868GPBokzgzeV3GhNxjen6l2H4m5qBDfz_ZJf1f_Lab6uRcNugLdaj50lv_0PWTwOUi
 MSfs7gyplnV1lM2C3EHbFVWJPaX4yoc7PAwDMSU3cN6AU65WfKSW_veO1DalAxojWsxyxl.jqNRK
 27QxhsjlD7jaFfwKr8hRCv1euZkSNBaMe5LrKBGgDuKy8RN_6e8_ukp78tGEcfVetXEeUvitGm6j
 Bkr5vCgRNHLXk9TbN5HzPhq.FWWcZyJAKlGzWiPS6JjYGGv7rvUKG9ntgLMV47hfCHwR0G0V9IDK
 Cn.ze_gdGJ527QNvV8WPWYffzDxrpOd8jezn19s0tcYbHTcaciACkuolsIVmvtI_9QIW.9G1dWTe
 muusxCMF1vx_gfLlbfQbPd6faHUqN9NVUeLAJfpSdPcA2ffApTO1vH31kGGHupELYbwrQ9xJpXoY
 kQlawSixvMrj2l35u14i4bwmqBpo0pVU6iMJGO70bHAWi_hYUV0RvhcaixebzxFn7f5AX_31HHjS
 LRv8JDUkOq9WesgMH01QhkVC0C0WIZpDzzXkHa3ZgWEj7WvXWhMe1dCCuYdJUUlQepRK1WT5CkAC
 BQScMsydvRU_Tt1eGy1iyZqWalXmaJ8Av6PWWYVjJSPSUkqANP9a3gesh1HkNjeP24mNNzDm6Fms
 uJ9WJxbozCQ0QzYaiQ5e6smDhRkrZSEpeinOAQjEgd6nPxeeZC_pMYPkTkrBF8UIzMxryJR8hlp2
 EhbeCxiHNwmxx1MSR2U4etykO8gPP1fDlj40mmJIjMXGlkqtEW0Zo8.HHakgCB0xvknKGDTm4hYr
 yowzuZvEH0YVsFAXVLNxyCkVu2ZvnRB8VfauwK0lfs0XvgyugT_W0vQUXTRqFuAT7GM3Vzma_DGb
 ePyQCTwoeny0PukYchK5ZdhIQ.KFABYVci6mq3m4d_0dnDniQUSk.wrq7qBpp1vwTZZ2HVI5q_r3
 8KtBqyWB1uIyG7_7Mk5gglq8BbKLNHharjqWCdBJoVvmSTAKkYD4fFb6eoqP48TBLQrL9FF67rKr
 HWHMuZx1EEQKIV5F5ay7U4nAPtZmeDLwW_qq1AZw6yqr..I3cT.3wazYvrLSXoov7RVknMPZmp7B
 GSuK4lkjUD9AiWVYwAtgOZ3yvPE93dUWp8uNoQykF7opLCOovUI5EmkqckGklrOKx9B_i90nNvnF
 R7JlJu6R3G7sXLxRQ7ak12N3FjB.0JlIesD9Og3B1DBhC.FyC2XmHfIPzbFoG4B_n.C3f4HbN5Cv
 4Cc0nex_CvhMfryT8X7xNmz2lRdAey4NpJs0Nsulkhdau_f.2Gg7Bx8haD075OAdbWHHF0OyVToJ
 xgDbkwUxjw4_gTdjiGHa65rycXlXErEC3bGiu6eNIwPQ5H4ssoVJlnzecC1E8IF6vtZb2rmu_93j
 y1hE0x6QGQXiiPg7ai5C01VZAL020_Z9Tp8KAp6PDEnbnnRIhOXC6ZzDdj0jNnClfQV25qf_7CNC
 SaqcnQSJnmpU-
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic314.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:35:28 +0000
Received: by kubenode521.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID c005fc59c7ded80b59c22b633a87c38d; 
 Sat, 09 Oct 2021 19:35:23 +0000 (UTC)
From: =?utf-8?Q?Daniel_Mart=C3=ADn?= <mardani29@HIDDEN>
To: Alan Third <alan@HIDDEN>
Subject: Re: bug#51105: 29.0.50; Buffer overflow bug in
 ns_compute_glyph_string_overhangs
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN> <YWGf1Bc+wFI3cixx@HIDDEN>
Date: Sat, 09 Oct 2021 21:35:22 +0200
In-Reply-To: <YWGf1Bc+wFI3cixx@HIDDEN> (Alan Third's message of "Sat, 9
 Oct 2021 14:57:40 +0100")
Message-ID: <m1a6jirnyd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 3951
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 51105
Cc: 51105 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Alan Third <alan@HIDDEN> writes:

> On Sat, Oct 09, 2021 at 02:43:18PM +0300, Eli Zaretskii wrote:
>> > From: Daniel Mart=C3=ADn <mardani29@HIDDEN>
>> > Cc: 51105 <at> debbugs.gnu.org
>> > Date: Sat, 09 Oct 2021 12:06:36 +0200
>> >=20
>> > Now I think that the right thing to do may be to modify nsterm.m, swit=
ch
>> > on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call
>> > composition_gstring_width to get the glyph metrics.  Function
>> > composition_gstring_width uses the values from fields s->cmp_from and
>> > s->cmp_to, and would avoid the buffer overflow:
>> >=20
>> > (lldb) fr v s->cmp_from
>> > (int) s->cmp_from =3D 6
>> > (lldb) fr v s->cmp_to
>> > (int) s->cmp_to =3D 7
>> >=20
>> > WDYT? I can prepare a patch of this type if you agree.
>>=20
>> SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I
>> know enough about the NS display backend.
>
> I don't know much about this part of the code, but it sounds good to
> me too.

A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8=
=B9=D8=B1=D8=A8=D9=8A=D8=A9" in the
*scratch* buffer.

I've attached a patch that fixes the issue.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch

From 23897a25d7ddebc06ab855058d36a5e291e5cba3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= <mardani29@HIDDEN>
Date: Sat, 9 Oct 2021 21:10:20 +0200
Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs

* src/nsterm.m (ns_compute_glyph_string_overhangs): When the first
glyph of a glyph string is a composite glyph, `s->nchars' is 0, so
"s->char2b + s->nchars - 1" dereferenced a position before buffer
`s->char2b'.  Instead, rewrite part of the function to distinguish
between character glyphs and composite glyphs.  For character glyphs,
calculate the font metrics using the `text_extents' function, passing
it the entire glyph string; for composite glyphs, call
`composition_gstring_width'. (Bug#51105)
---
 src/nsterm.m | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..e616766ec7 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2848,20 +2848,27 @@ Hide the window (X11 semantics)
      External (RIF); compute left/right overhang of whole string and set in s
    -------------------------------------------------------------------------- */
 {
-  struct font *font = s->font;
-
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
-      s->left_overhang = -metrics.lbearing;
-      s->right_overhang
-	= metrics.rbearing > metrics.width
-	? metrics.rbearing - metrics.width : 0;
+      if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p)
+        {
+          struct font *font = s->font;
+          font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
+          s->left_overhang = -metrics.lbearing;
+          s->right_overhang
+            = metrics.rbearing > metrics.width
+            ? metrics.rbearing - metrics.width : 0;
+        }
+      else if (s->first_glyph->type == COMPOSITE_GLYPH)
+        {
+          Lisp_Object gstring = composition_gstring_from_id (s->cmp_id);
+
+	  composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics);
+	  s->right_overhang = (metrics.rbearing > metrics.width
+			       ? metrics.rbearing - metrics.width : 0);
+	  s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0;
+        }
     }
   else
     {
-- 
2.31.0


--=-=-=
Content-Type: text/plain


Let me know if you like it and please install it on my behalf if so.
Thanks.


--=-=-=--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#51105; Package emacs. Full text available.

Message received at 51105 <at> debbugs.gnu.org:


Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 13:57:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 09 09:57:52 2021
Received: from localhost ([127.0.0.1]:53895 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZCrI-0006Uv-EP
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 09:57:52 -0400
Received: from outbound.soverin.net ([116.202.126.228]:44975)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alan@HIDDEN>) id 1mZCrG-0006Uf-Cq
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 09:57:51 -0400
Received: from smtp.soverin.net (unknown [10.10.3.24])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (No client certificate requested)
 by outbound.soverin.net (Postfix) with ESMTPS id BDF98E3;
 Sat,  9 Oct 2021 13:57:43 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by
 soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=idiocy.org; s=soverin;
 t=1633787863; bh=O0/uQxuAbBh4S2x5EVcsmwWOz3LnXUdUo14A47hJYgY=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
 b=Qmgz82ghxqCYVWlFuTJ3X12OPLBPL1W2iQRMR3LIg1DVdBbBK8uMGhzivtFciwTr9
 YHgCail/nJR+4ZGJ72taNKN98TZjZEOUduNNpy6YEVcfoAyxETjWd3GmWdqqs1zUd5
 Kp1XQTvfsvq9m0DP+DujlGboNblPIY+ufNEjnaqn56uaE/t3N3U/lt4/XVu8v3hKIn
 bY4232w+k3wQ83y75d+V3CXkkyl41Wo+eSycAxdgUy87n0R4RXUqsOYZRBXmZ7aObX
 Yn6hz3B6bkPrio1uVcJiNGIPfKk0wGFNQuxfuOlclkLId554LF3oBFFDveDtShLYlO
 R0cz4pccw2v3w==
Received: from alan by faroe.holly.idiocy.org with local (Exim 4.95-RC2)
 (envelope-from <alan@HIDDEN>) id 1mZCr6-000Bw0-By;
 Sat, 09 Oct 2021 14:57:40 +0100
Date: Sat, 9 Oct 2021 14:57:40 +0100
From: Alan Third <alan@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#51105: 29.0.50; Buffer overflow bug in
 ns_compute_glyph_string_overhangs
Message-ID: <YWGf1Bc+wFI3cixx@HIDDEN>
Mail-Followup-To: Alan Third <alan@HIDDEN>, Eli Zaretskii <eliz@HIDDEN>,
 Daniel =?iso-8859-1?Q?Mart=EDn?= <mardani29@HIDDEN>,
 51105 <at> debbugs.gnu.org
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
 <83v926whih.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <83v926whih.fsf@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 51105
Cc: 51105 <at> debbugs.gnu.org,
 Daniel =?iso-8859-1?Q?Mart=EDn?= <mardani29@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sat, Oct 09, 2021 at 02:43:18PM +0300, Eli Zaretskii wrote:
> > From: Daniel Martín <mardani29@HIDDEN>
> > Cc: 51105 <at> debbugs.gnu.org
> > Date: Sat, 09 Oct 2021 12:06:36 +0200
> > 
> > Now I think that the right thing to do may be to modify nsterm.m, switch
> > on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call
> > composition_gstring_width to get the glyph metrics.  Function
> > composition_gstring_width uses the values from fields s->cmp_from and
> > s->cmp_to, and would avoid the buffer overflow:
> > 
> > (lldb) fr v s->cmp_from
> > (int) s->cmp_from = 6
> > (lldb) fr v s->cmp_to
> > (int) s->cmp_to = 7
> > 
> > WDYT? I can prepare a patch of this type if you agree.
> 
> SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I
> know enough about the NS display backend.

I don't know much about this part of the code, but it sounds good to
me too.
-- 
Alan Third




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#51105; Package emacs. Full text available.

Message received at 51105 <at> debbugs.gnu.org:


Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 11:43:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 09 07:43:52 2021
Received: from localhost ([127.0.0.1]:52408 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZAlc-0004ek-Ac
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 07:43:52 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43214)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1mZAlY-0004eR-4q
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 07:43:50 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:52452)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eliz@HIDDEN>)
 id 1mZAlN-0000Ri-9C; Sat, 09 Oct 2021 07:43:39 -0400
Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:1358
 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1mZAlM-0006Nz-Sv; Sat, 09 Oct 2021 07:43:37 -0400
Date: Sat, 09 Oct 2021 14:43:18 +0300
Message-Id: <83v926whih.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Daniel =?utf-8?Q?Mart=C3=ADn?= <mardani29@HIDDEN>, Alan Third
 <alan@HIDDEN>
In-Reply-To: <m1r1cu4imr.fsf@HIDDEN> (message from Daniel =?utf-8?Q?Mart?=
 =?utf-8?Q?=C3=ADn?= on Sat, 09 Oct 2021 12:06:36 +0200)
Subject: Re: bug#51105: 29.0.50; Buffer overflow bug in
 ns_compute_glyph_string_overhangs
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN> <m1r1cu4imr.fsf@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 51105
Cc: 51105 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Daniel Martín <mardani29@HIDDEN>
> Cc: 51105 <at> debbugs.gnu.org
> Date: Sat, 09 Oct 2021 12:06:36 +0200
> 
> Now I think that the right thing to do may be to modify nsterm.m, switch
> on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call
> composition_gstring_width to get the glyph metrics.  Function
> composition_gstring_width uses the values from fields s->cmp_from and
> s->cmp_to, and would avoid the buffer overflow:
> 
> (lldb) fr v s->cmp_from
> (int) s->cmp_from = 6
> (lldb) fr v s->cmp_to
> (int) s->cmp_to = 7
> 
> WDYT? I can prepare a patch of this type if you agree.

SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I
know enough about the NS display backend.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#51105; Package emacs. Full text available.

Message received at 51105 <at> debbugs.gnu.org:


Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 10:06:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 09 06:06:51 2021
Received: from localhost ([127.0.0.1]:52317 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZ9Fi-00040K-QX
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 06:06:51 -0400
Received: from sonic309-24.consmr.mail.ir2.yahoo.com ([77.238.179.82]:39985)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZ9Fg-000405-Uf
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 06:06:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633774003; bh=Xfczk1Qe2Isq7VtF8oiJ2E5hS6/BIcQ37H8NvspKWk4=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=gPsigan+Q5XpKAPsSTODFTu/2704OQKYb7m0+7txhP7c+ZOkShoXDAqac5W7eLOGd3Rn7dLw4aLPzVQkTjleoOdFtnYIZGgyiOjRzXCOSYaBViDJ0xoK4ZEtBHcueVgjus4h8glcDWCU6x6a4BPYwHg2OKIpHJ3sN3NavL2Aysbc210mj69zu6a6aOTptrOWjAda+lq6tMaJ9j07AGYcMDjuhzfbxx852/D+peVwuf2U838736JJeJB08oU+YyZbkXh8Gu2re1zuniDBEgBjh2b5Q29Nl8Jkk3gioxprC8XiRJRmYIZmoRYs+SHvJh22g8DYTgEhBwuC+MqJk11vIw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633774003; bh=LznyBxAZlL8+tX2jx3OzcwV7jbtV4kK3nlcPTWXilGL=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=jiEjTrfHt931MTCVZd0mD5kIWovM8Dj3f0kvCFS43ras8seXFYWIV4N/vp6ITF/0kZ5j04DEwklk9F9lsK6mUKWQFHWI51UyI0hh/d0CshTJbS/Y/eG8ptfEjObBBIb7qH9TnQOcgEZ2I+AjOLEft42nBWc9H2BnuAQywfsFTZwDbxanxWXsv+t9GIMB4jy+zgJWD2qnoI6HH+vd5Qpi9/MvgJcyoVXCTH1SM/WGky34XYMp7tbmtevlsysK0yfo5a/6j1ZiQyj3cB+EtCZbsbgCQAEgMAW8ZRqfQ/dVAzpZgs6Qb73d/sKwN/wdaf+iY8L2AJnn5vV0UdEp0Bm+cw==
X-YMail-OSG: CqWzhnwVM1la.wQMDffG8JoTnWKTTdvY_6iT7qKyrvAmHB1jiBraHuuwMlp3BA7
 pj6S_tshs_PMKLzLFCcCUrjCQozcFyxg.1MoIIGSS8Ahx8MkNZSqO56f7.EHN3QRVyDDw1Ty473y
 NzL903pdt0dnvElrrYtFx3.rhgNYIzEaVTdIdGdL49wiLem9PMjwOFSnbkBZeVtHfF90CAXI6Ulh
 K6ATTCt7j70ojtctCSKh0wz3IONqVmk48JdRsxv0uexa3a2tB1wUYWWEd9BSDDT1dvYN8dWnMl7W
 .fQW4thg_5g76C9zJd6_aIRKBH3OoUy8xGde084Ha7CKMMkbv2XfNpBh6clF8L2X4X.tNRRuL5Gn
 inkZmjoO0Ns1pdVLc9HvFrSMrrAawor4LwwSIeGiIN.mNtmoqgPBUCYvE5Dr6LEc_40sArYamTvp
 IuiJQkvlOkaL6sYbqNKpCBnIxBWuqmmC2SF5j.1LWSJVMduueSUSTUBWfGSHds2zkltnPyH.6OOy
 VGBRuzlLJDDIkRuU.4LvUb3vd8F51YFyPOcgHWF2KxqEiAqHQxz0HXgm8oMq4G4HsRzLfhlMeQP5
 xU1Skhi1CG8xYkNQwwaTEIiVILJQZwKnVFgQ_1_TCB6wOho6UKk_3YR3IMWwoFcFN3x_YREDxDgp
 xTdL4SxkKmUxgGwdSntw84BBDZe8KZWYlfBAztn8Yp6Y9qtjP7ZqQ8dkXmCp3hF97lDrDEkUOs6Z
 paXpdKPNC4EchJ_M2jIjO9rJhzWXEsDkPtTDhgTnQf3SPJ3iWKMtNXQeEU2gj6lZ00XFXmR2.b9O
 EX04SA2wGmz7peg2Gx_g27FKK2lQjNFs_eCA5EYYtRPnPRvESq4ApUCHFrzk9NtN6G_xr_cMdKGc
 FLueXroKVGSzskwFN9kVqgNm.40TLcLL8kIZM6SBLnVLf7o38mAX3tuJoqfnbk3LGmnz.Qn53NCk
 uO7KjZykSVj8pDs39pX3WZqIPGk.mFCP.mcg230BmV8poOvQdD9XS.extbF0mD4sIoVr5nvN418x
 AE8n9k.kkkO6JSRL2LkGTe5ESYgPX0QKzUQN4oGT3p3Ot._cJ.lY_BANXJVWFN0UCEvwD3N1zwEC
 s_LELJLWprREbLJCVzaPyILWa.YVPe.MBaTLZpVMak9BeOoLIr1Jkk8wpmtu8ga6HwosKME0xnYC
 JMDUPbVGJ.KEy4cWo_cvjVTEwkZAoNPX.KCWPrBXAjen8KsFlJLZZoV_rQD5oVxHiPysSFBFRh3T
 EFL7u3beV8bdWY_yGiZsH7kbKopIGKwg0uXoYRkoLba1dTzwRZoZzmcpxNJsZCWyqDCH2TypPZ2a
 xerEtmAx9UFhzUkm.n7q0b4hc3aU66mawl1_.PJxhEF7XHK_bfl3vZPRTZDmRMqCuB3M2Ryrcozt
 UgdUbZQ9c7JFdODSQU2BWCDQb9OVPsxzyQs80Y2JT8Ky3DI3IdrngiPdNsgoOMFVMywVXqOoBxxX
 Sy64Vc1GY7VpZsH73Uu965cexzV9A2kHHVMBNBpDog8gaCm3zX_52RFSWqH_D7u4JA2hc65EEk8X
 bJvTa0QU0o5vTnyoszNqP_tsBgyBh26pC_dk_ofnw0W0TblBwrHD6sxtrSPOqVEfjgfZyjm6QHa1
 N9YuOi_7L5YtS8g1sYsl07MzgLc8y3BVeWocP0A3eBqUlX_vMS8t_XsCUCLXwnxuHdNiBQN_oCnL
 CD32FypmlYUOBQPHe8KcQzqQgCbEINmuvF851Nt8ERJ14V5efn3o.v42qxWlg8BdX3oezexfl9Zd
 JZQ1GwzDEYHPOU3VaI4gqhLMVH0ZkBmL06UZdpyWUaL0j.EIZW5GjlCqgBPlBaDiHEwllSWm4uHJ
 gRmZwRfZh2B.gBv8A1c6kqDtNdV7KhU1t7gCU6ksDOl_3Oxs4jvDJ2yrFAFK2E32YbCM1VtfusQC
 ejO8hJWz_b4obZB9r9pytF2Qa.Kw_a5ddmj0ID8TNP1uvTDjPzsWQ1kZheyOMDO6ux2kCmL_tP5O
 A9vtAjedo.76UzpMpbTgR3sPSu36klBVHTdjnDZClIjJHPoSiyEg9UHVFTal0kQXOWeENiAlZPJT
 Qn5rqddWCBdXhYqfXv7iArqHjQwkfWEBVlnLC27rbMYCZt9EEK.YeEfM1ffZmj2rd7.qLM2tfehf
 Mnx17wmN1MZ1HJYsTirXOvr.D_0ijLYb2lSBmVCiF35L0b22ZeBt2j1I7k8KysMGjHmWenxyMb9j
 qjC0EFUhTmdvg
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic309.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 10:06:43 +0000
Received: by kubenode527.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 4c2a9959af849393f228a3b0fdd67703; 
 Sat, 09 Oct 2021 10:06:37 +0000 (UTC)
From: =?utf-8?Q?Daniel_Mart=C3=ADn?= <mardani29@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#51105: 29.0.50; Buffer overflow bug in
 ns_compute_glyph_string_overhangs
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
 <83bl3yya46.fsf@HIDDEN>
Date: Sat, 09 Oct 2021 12:06:36 +0200
In-Reply-To: <83bl3yya46.fsf@HIDDEN> (Eli Zaretskii's message of "Sat, 09 Oct
 2021 09:40:09 +0300")
Message-ID: <m1r1cu4imr.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 1602
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 51105
Cc: 51105 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Eli Zaretskii <eliz@HIDDEN> writes:

>> Date: Sat, 09 Oct 2021 02:30:33 +0200
>> From:  Daniel Mart=C3=ADn via "Bug reports for GNU Emacs,
>>  the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN>
>>=20
>> 2) The root cause of the issue may be that s->nchars is 0 when it
>> shouldn't.  Is there any legitimate scenario where the display engine
>> may call this routine with s->nchars equal to 0? If so, what are those
>> situations?
>
> I think if the glyph string has composition glyphs, nchars can be
> zero.  What is the value of s->first_glyph->type in the case where it
> happens?

Yep, it seems so:

(lldb) fr v s->first_glyph->type
(unsigned int:3) s->first_glyph->type =3D 1

I've found a 2006 commit that seemed to handle this particular pointer
arithmetic logic for when the type of the first glyph is STRETCH_GLYPH:
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3D825de9a1027073beae=
c38ab1572e9d954f8a1eb0

Now I think that the right thing to do may be to modify nsterm.m, switch
on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call
composition_gstring_width to get the glyph metrics.  Function
composition_gstring_width uses the values from fields s->cmp_from and
s->cmp_to, and would avoid the buffer overflow:

(lldb) fr v s->cmp_from
(int) s->cmp_from =3D 6
(lldb) fr v s->cmp_to
(int) s->cmp_to =3D 7

WDYT? I can prepare a patch of this type if you agree.

I'll try to get the sequence of codepoints from the glyph string in the
debugger, so we can have a reduced test case (ie. the exact string from
the Wikipedia's front page that causes the issue).




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#51105; Package emacs. Full text available.

Message received at 51105 <at> debbugs.gnu.org:


Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 06:40:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 09 02:40:51 2021
Received: from localhost ([127.0.0.1]:52235 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZ62N-0005E9-2V
	for submit <at> debbugs.gnu.org; Sat, 09 Oct 2021 02:40:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:35984)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1mZ62L-0005Dw-8j
 for 51105 <at> debbugs.gnu.org; Sat, 09 Oct 2021 02:40:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:48240)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eliz@HIDDEN>)
 id 1mZ62B-0000TT-72; Sat, 09 Oct 2021 02:40:41 -0400
Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:2697
 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1mZ61y-0003of-8h; Sat, 09 Oct 2021 02:40:38 -0400
Date: Sat, 09 Oct 2021 09:40:09 +0300
Message-Id: <83bl3yya46.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Daniel =?iso-8859-1?Q?Mart=EDn?= <mardani29@HIDDEN>
In-Reply-To: <m17den59au.fsf@HIDDEN> (bug-gnu-emacs@HIDDEN)
Subject: Re: bug#51105: 29.0.50;
 Buffer overflow bug in ns_compute_glyph_string_overhangs
References: <m17den59au.fsf.ref@HIDDEN> <m17den59au.fsf@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 51105
Cc: 51105 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Sat, 09 Oct 2021 02:30:33 +0200
> From:  Daniel Martín via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN>
> 
> 2) The root cause of the issue may be that s->nchars is 0 when it
> shouldn't.  Is there any legitimate scenario where the display engine
> may call this routine with s->nchars equal to 0? If so, what are those
> situations?

I think if the glyph string has composition glyphs, nchars can be
zero.  What is the value of s->first_glyph->type in the case where it
happens?




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#51105; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 9 Oct 2021 00:30:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 08 20:30:48 2021
Received: from localhost ([127.0.0.1]:52113 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mZ0GF-0000tb-BC
	for submit <at> debbugs.gnu.org; Fri, 08 Oct 2021 20:30:48 -0400
Received: from lists.gnu.org ([209.51.188.17]:59112)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@HIDDEN>) id 1mZ0GD-0000rx-S9
 for submit <at> debbugs.gnu.org; Fri, 08 Oct 2021 20:30:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48880)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mardani29@HIDDEN>)
 id 1mZ0GD-0006jl-H4
 for bug-gnu-emacs@HIDDEN; Fri, 08 Oct 2021 20:30:45 -0400
Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:41566)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <mardani29@HIDDEN>)
 id 1mZ0GA-0007c1-74
 for bug-gnu-emacs@HIDDEN; Fri, 08 Oct 2021 20:30:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633739437; bh=X8j5aMGFBhQVPOjLwAMS5ZiI0YLjq39S5ygV/095g6Y=;
 h=From:To:Subject:Date:References:From:Subject:Reply-To;
 b=SHNOY4ZsnRG1SAGNZ0v/q7XSZ82FjjxllI2YeQNnJwfHF6AVFcb3DrHxJ+W/SFdTnHjDHUuUYAjNwSOwu/yyeUwPwQlSO4onMaptV/28HkV8Fyx18oO3SMAg2fXymoL/QvNBevh1ftBZ0j5Roj3G8hBqq1k9eW5F/FxvZAS+yYWkcwGT606EMJT/hJM9RD1mpvVr1N6immYCC/XNQi4K7+cETDp9cd+G5c/YkJFZlee6B3p3O7hr/qBEAgCGFSQ6rn/RJ8npr0qdwJBK10RPfm/jtSGHKsbLDQyM4CY/LcDewnRR2/gO4gJqhatQMYq7Vhjy4vdfgC4BrBrvt9Wl/g==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1633739437; bh=sVVVp+bTRFlWWJkVsNqTEksKK4uZJ/KRkq/yw/CcBM0=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=QLpBpvzt3uEIy7NAFAUJZ2K9SsKRdU4FmUDYOLadQkUEI4dTmBP0AyUvkgC7+NGYsyFai6KFLthzqg19E68bj1wDWNMCvFGO946ijPmnUBx7h1d3hlVgT8Q1QgMihdvyLCVoLQHvgfUrcwwOOz7bdnitc0Vv5dJpjuLVt6ai0Gf2//cVJp4yKhPKcAlh8Q5rb2xWNOCy24/CSvw4J+kHUEfMtySSqIbtc/9eMtOSw4lw1lD4GE+ZaxQG1Cq2vNMkt5KEKT6BdA9bDFStKGoPd92Edk7LKrMV7vDdAZW3nf1c0CHYZgDyzqOlHB3G12gigsjF1RjhrlUkkOlpn3oECw==
X-YMail-OSG: 72LaS34VM1lBp1qfSO7RL9iXboJopdcDKztEhewAT5Z0TOoy_4luFZyYZvrcyGJ
 aAoLnjHk8ZWvbHT45Cf6n5WKOGyHUGG4aPox5mQz9lFZZimNQoIOJUgGCqFNOsATUFwlQlUHh3Uv
 jRMhkDRUxvr2_j4D2be8k9j2W4sACBxtr6J3lwCxFSzaTz763hZYjyoVDpc5qPsTTBSuk5iFcTy1
 92kxBgyf2dknBsV8pAmij1xLBkQLh11o1FP3rbfpYBmot4M2HRqCMDoOeTjz850OwSr.ewcpFYNc
 ZU_dshY0W91BmohWn6tyeapXVIzzGWR8R79WxHMohQa7LwAyfGpO1d.mLp1AtJ2nSCUwzqQiJk7M
 Nw27_kCR2K0jO48Mm996gcf3wWdnpHjZNzgNkKYFOC9VAs7FEjh5w7rhZRnW7EvE5sLBF3GKxwqo
 1TcfxLhc2yNRHeeFsrN3_1tZf4CXC.i0E7NBjBwQrd.Dbzzv5bqp46ZB.9x28Ig_P7wGLyyopids
 cucOa0faOjp2lv5ahAm8uKnDGDCLk3XoOCHGaH7oRgX4P8KjbnTU9YnDj_PJ0pVmAq0xk8HfNwCm
 JTPy4_wCSJivuapXtvVrkpoq05UWztAqC0SX3Q0EqKHW7ZsRn_RHNGTdNSR9jGlUrN5Jiq96B6Ta
 CVE_BC.J0pKCi6iCKeb26NWVLRthJJDMUeC46oGc48VZj5BIRZL.5oRK_H0jfCOpBTBmjMWNW1eF
 KYlsnQSfnozxtgtNyQ4F4839iS4_MRI0syI2h15keieSI.nnKZfysOXPQva4U4lWKncDXGu2H.iT
 Opb6Eauy3wIE36_KLDcUn0ZrC7r2TprslBQ8gXPz66ElQKNRfDhzZfAqyUHnTZbztLCpYj_MgGTV
 VfSXA9v4qrksrcbMpRAtgSMfcsL40seoKxY5oaoDR8lRLr.KLWGnPdyB51Fwee52OZlv4hkcy0nj
 Rc.66fcg7icFgubxUrM65REib6y3MNguuJclaRG3MaU6SgMYvePoadrZY9u4JVRqhMHMxM6BN0yS
 eIaucDWOETKnbSwvWgohKE370xkjMhftBzHp7u9pjdgKcgWPE1AE6M7g6M9984emHxA61Ksl3ghl
 1qwcK.nMSrhhKXK9sm0rBIxAhI2B2ORVWI.nymXDDivnx_wcvkb9hsW_9_hjU8B0TDxz35easKcv
 Tlbg3ROaeKhDACm0hWLuRM2vbUEyok7HlMJx2qXssDlZ6gSigiZADCpHLwZFLaLAGxplhh8mn8Wi
 UEyB5X8WCoFi.0FxDEvmSqupzNjpdj.QLVrcA.IFSBd.7CWt96BdKnVr27JidBjGLT_XW.JZ0ZZI
 GokkWVtts6k6rLotpDb2UZz19CpEkg9hWASDlEBhlCOvZwdfw26hQFrjiFsb6tdEP9Yqk4KEtLt6
 IyWaJY2ityvhaO4BWyCzCcM2qago5Mc.jbgQdiFJes4Fu_6m_U2JXc7kufvDOGr6Ws8ND1bRzwjy
 zOkKuA.zlGQK2UvJ4VM_2Q46kepGHJ5OrYnrmXNSl78DNrMRGa65EGJtMx8gP6afjUKpdBy4MJU7
 FzB8byFpEjvUpqlSU9zXL92I.JKYWp23.Qe8qyIwaPMxqy0cDAEyR2cp.SnHfQjsbLBo.YkPgzKm
 tshAw07_uM94gybu4B4ZnUy3TLqPXwY4JCYeAw2OSbM0R6CJ0dGe02LdIoyAbx.koOuPYlaCXlU4
 avmGFn2pL.uKUiOFW7Nw2gtBs_zg9w50UWCQOlsjsaOH5rKxhudqJfblz9yuJ1Lmn0A5ZV4SWVMX
 afBuNoucxYzx4twEC94QcjYdhS.zIQAk1D3qP5BZ9y9Xf9AZpLG7xtD5gocMiohMlzi2Wvzy.Szj
 toZnP2XVv1cMXyX1XTfVsk2aic8rHIeNArWY8FeFkamrtbVBqDnUledYxwup.cNV3yFVMaZK7Ccf
 kgdAaOjFue6vPss9MtLsri3Etr1zFfzn6h11PtxGhT9kObt4weMRjrRu5cm3aKmWFT9J5P5ITYIC
 GRgIfSVZaB2tjahs5QRVWLe.QDGL4D3kBPnGxkG39Sml5PTYkPPoCsAFJVeOH3SD8vNPOUESsWAW
 KsV2nDvhFLsmqNH_05aJSSy.OXl5vdSBYRuS9TjSzOKCbXzxrCiEzsWzrfYXEYmiV24LFMNpL1SV
 a0fvq__d2vRbksCrhMjYlp8zKmpJMCh5rnNx4hVflytY8cU7MEkIbquU4tw--
X-Sonic-MF: <mardani29@HIDDEN>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 00:30:37 +0000
Received: by kubenode521.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 48833493ecb42c401f6e9699cd612d11; 
 Sat, 09 Oct 2021 00:30:34 +0000 (UTC)
From: =?utf-8?Q?Daniel_Mart=C3=ADn?= <mardani29@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs
Date: Sat, 09 Oct 2021 02:30:33 +0200
Message-ID: <m17den59au.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
References: <m17den59au.fsf.ref@HIDDEN>
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 8212
Received-SPF: pass client-ip=77.238.179.188; envelope-from=mardani29@HIDDEN;
 helo=sonic313-21.consmr.mail.ir2.yahoo.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)


There is a buffer overflow bug in the function
ns_compute_glyph_string_overhangs with some particular information
received from the display engine.

(I haven't reduced the test case yet so you may not reproduce the
issue with the following recipe.)

  emacs -Q

Attach a debugger to the Emacs process and add the following
conditional breakpoint:

  br set -f nsterm.m -l 2853 -c 's->nchars==0'

Continue running Emacs

  M-x eww RET wikipedia.org RET

The debugger will stop with the following backtrace:

* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  * frame #0: 0x000000010e25a20e emacs`ns_compute_glyph_string_overhangs(s=0x00007ffee232ef40) at nsterm.m:2853:7
    frame #1: 0x000000010da4cbdf emacs`draw_glyphs(w=0x00006210000ac130, x=66, row=0x000062b00029ae00, area=TEXT_AREA, start=0, end=12, hl=DRAW_NORMAL_TEXT, overlaps=0) at xdisp.c:29036:4
    frame #2: 0x000000010da49bd0 emacs`gui_write_glyphs(w=0x00006210000ac130, updated_row=0x000062b00029ae00, start=0x0000629001be4200, updated_area=TEXT_AREA, len=12) at xdisp.c:31179:7
    frame #3: 0x000000010d90bc4d emacs`update_text_area(w=0x00006210000ac130, updated_row=0x000062b00029ae00, vpos=28) at dispnew.c:3934:2
    frame #4: 0x000000010d902191 emacs`update_window_line(w=0x00006210000ac130, vpos=28, mouse_face_overwritten_p=0x00007ffee2331720) at dispnew.c:4177:11
    frame #5: 0x000000010d8d84f7 emacs`update_window(w=0x00006210000ac130, force_p=true) at dispnew.c:3680:19
    frame #6: 0x000000010d8d9bbc emacs`update_window_tree(w=0x00006210000ac130, force_p=true) at dispnew.c:3405:14
    frame #7: 0x000000010d8d67e6 emacs`update_frame(f=0x00006210000ad530, force_p=true, inhibit_hairy_id_p=false) at dispnew.c:3240:18
    frame #8: 0x000000010d9db568 emacs`redisplay_internal at xdisp.c:16160:16
    frame #9: 0x000000010d9eb0a9 emacs`redisplay_preserve_echo_area(from_where=12) at xdisp.c:16429:7
    frame #10: 0x000000010e0cb8e1 emacs`wait_reading_process_output(time_limit=0, nsecs=0, read_kbd=-1, do_display=true, wait_for_cell=0x0000000000000000, wait_proc=0x0000000000000000, just_wait_proc=0) at process.c:5789:7
    frame #11: 0x000000010dd99c82 emacs`kbd_buffer_get_event(kbp=0x00007ffee23371c0, used_mouse_menu=0x00007ffee23386c0, end_time=0x0000000000000000) at keyboard.c:3924:4
    frame #12: 0x000000010dd9825e emacs`read_event_from_main_queue(end_time=0x0000000000000000, local_getcjmp=0x00007ffee2338300, used_mouse_menu=0x00007ffee23386c0) at keyboard.c:2198:7
    frame #13: 0x000000010dd6a19a emacs`read_decoded_event_from_main_queue(end_time=0x0000000000000000, local_getcjmp=0x00007ffee2338300, prev_event=0x0000000000000000, used_mouse_menu=0x00007ffee23386c0) at keyboard.c:2262:11
    frame #14: 0x000000010dd632c8 emacs`read_char(commandflag=1, map=0x00006290003eb8a3, prev_event=0x0000000000000000, used_mouse_menu=0x00007ffee23386c0, end_time=0x0000000000000000) at keyboard.c:2892:11
    frame #15: 0x000000010dd58e1d emacs`read_key_sequence(keybuf=0x00007ffee23393a0, prompt=0x0000000000000000, dont_downcase_last=false, can_return_switch_frame=true, fix_current_buffer=true, prevent_redisplay=false) at keyboard.c:9619:12
    frame #16: 0x000000010dd539f3 emacs`command_loop_1 at keyboard.c:1392:15
    frame #17: 0x000000010dfa45d9 emacs`internal_condition_case(bfun=(emacs`command_loop_1 at keyboard.c:1278), handlers=0x0000000000000090, hfun=(emacs`cmd_error at keyboard.c:936)) at eval.c:1453:25
    frame #18: 0x000000010dd52903 emacs`command_loop_2(handlers=0x0000000000000090) at keyboard.c:1133:11
    frame #19: 0x000000010dfa2ff9 emacs`internal_catch(tag=0x000000000000df80, func=(emacs`command_loop_2 at keyboard.c:1129), arg=0x0000000000000090) at eval.c:1184:25
    frame #20: 0x000000010dd50f81 emacs`command_loop at keyboard.c:1111:2
    frame #21: 0x000000010dd50c9b emacs`recursive_edit_1 at keyboard.c:720:9
    frame #22: 0x000000010dd5147a emacs`Frecursive_edit at keyboard.c:803:3
    frame #23: 0x000000010dd4a05a emacs`main(argc=2, argv=0x00007ffee233a310) at emacs.c:2310:3
    frame #24: 0x00007fff20496f3d libdyld.dylib`start + 1

This line in nsterm.m will be executed and is problematic:

  codes[1] = *(s->char2b + s->nchars - 1);

When s->nchars is 0, the code will reference one position before
s->char2b.

I have two questions:

1) Is there any reason the function chooses the first and last glyphs
instead of passing the whole glyph string and rely on text_extents to
perfom boundary checks? That is, I propose:

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..207da60481 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2853,11 +2853,7 @@ Hide the window (X11 semantics)
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
+      font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
       s->left_overhang = -metrics.lbearing;
       s->right_overhang
 	= metrics.rbearing > metrics.width

This way to call the text_extents API is also implemented in w32term.c
and xterm.c.

2) The root cause of the issue may be that s->nchars is 0 when it
shouldn't.  Is there any legitimate scenario where the display engine
may call this routine with s->nchars equal to 0? If so, what are those
situations?


In GNU Emacs 29.0.50 (build 1, x86_64-apple-darwin20.6.0, NS appkit-2022.60 Version 11.6 (Build 20G165))
 of 2021-10-09 built on Daniels-MacBook-Pro.local
Repository revision: 36d7c4af7c83c4f3ea9ab9fdd0822b986564d78e
Repository branch: master
Windowing system distributor 'Apple', version 10.3.2022
System Description:  macOS 11.6

Configured using:
 'configure 'CFLAGS=-O0 -g3''

Configured features:
ACL DBUS GIF GLIB GMP GNUTLS JPEG JSON LCMS2 LIBXML2 MODULES NOTIFY
KQUEUE NS PDUMPER PNG RSVG THREADS TIFF TOOLKIT_SCROLL_BARS XIM ZLIB

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  show-paren-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  indent-tabs-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
rfc822 mml mml-sec epa derived epg rfc6068 epg-config gnus-util rmail
rmail-loaddefs auth-source cl-seq eieio eieio-core cl-macs
eieio-loaddefs password-cache json map text-property-search time-date
seq gv subr-x byte-opt bytecomp byte-compile cconv mm-decode mm-bodies
mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs
cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils
iso-transl tooltip eldoc paren electric uniquify ediff-hook vc-hooks
lisp-float-type elisp-mode mwheel term/ns-win ns-win ucs-normalize
mule-util term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list replace newcomment text-mode lisp-mode prog-mode register
page tab-bar menu-bar rfn-eshadow isearch easymenu timer select
scroll-bar mouse jit-lock font-lock syntax font-core term/tty-colors
frame minibuffer cl-generic cham georgian utf-8-lang misc-lang
vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932
hebrew greek romanian slovak czech european ethiopic indian cyrillic
chinese composite emoji-zwj charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice button
loaddefs faces cus-face macroexp files window text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads dbusbind kqueue cocoa ns
lcms2 multi-tty make-network-process emacs)

Memory information:
((conses 16 49678 8809)
 (symbols 48 6572 1)
 (strings 32 17870 1691)
 (string-bytes 1 591830)
 (vectors 16 12905)
 (vector-slots 8 177066 9811)
 (floats 8 21 51)
 (intervals 56 191 0)
 (buffers 992 10))




Acknowledgement sent to Daniel Martín <mardani29@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#51105; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 11 Oct 2021 14:30:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.