GNU bug report logs - #6149
24.0.50; shell buffer overflow when input longer than 4096 bytes

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: jidanni@HIDDEN; dated Mon, 10 May 2010 04:17:01 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.
Did not alter fixed versions and reopened. Request was from Debbugs Internal Request <help-debbugs@HIDDEN> to internal_control <at> debbugs.gnu.org. Full text available.
bug unarchived. Request was from charles@HIDDEN (Charles A. Roelli) to control <at> debbugs.gnu.org. Full text available.
bug archived. Request was from Debbugs Internal Request <help-debbugs@HIDDEN> to internal_control <at> debbugs.gnu.org. Full text available.
bug closed, send any further explanations to jidanni@HIDDEN Request was from Glenn Morris <rgm@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 6149 <at> debbugs.gnu.org:


Received: (at 6149) by debbugs.gnu.org; 1 Jun 2010 01:50:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 31 21:50:40 2010
Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1OJGcq-0001jD-I0
	for submit <at> debbugs.gnu.org; Mon, 31 May 2010 21:50:40 -0400
Received: from ironport2-out.teksavvy.com ([206.248.154.183]
	helo=ironport2-out.pppoe.ca)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <monnier@HIDDEN>) id 1OJGco-0001j6-Vl
	for 6149 <at> debbugs.gnu.org; Mon, 31 May 2010 21:50:39 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlUFAGIEBExMCpdY/2dsb2JhbACSJIwHcr8BhRYEjEw
X-IronPort-AV: E=Sophos;i="4.53,337,1272859200"; d="scan'208";a="66559480"
Received: from 76-10-151-88.dsl.teksavvy.com (HELO pastel.home)
	([76.10.151.88])
	by ironport2-out.pppoe.ca with ESMTP; 31 May 2010 21:50:37 -0400
Received: by pastel.home (Postfix, from userid 20848)
	id 3B98681F8; Mon, 31 May 2010 21:50:37 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: jidanni@HIDDEN
Subject: Re: bug#6149: 24.0.50;
	shell buffer overflow when input longer than 4096 bytes
Message-ID: <jwv6323wmhk.fsf-monnier+emacs@HIDDEN>
References: <87aas81jgh.fsf@HIDDEN>
Date: Mon, 31 May 2010 21:50:37 -0400
In-Reply-To: <87aas81jgh.fsf@HIDDEN> (jidanni@HIDDEN's message of
	"Mon, 10 May 2010 12:14:54 +0800")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: 6149
Cc: 6149 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/pipermail/debbugs-submit>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces <at> debbugs.gnu.org
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
X-Spam-Score: -2.2 (--)

>>>>> "jidanni" == jidanni  <jidanni@HIDDEN> writes:

> This is a serious bug in M-x shell. It is not a bash or dash bug. It is
> not a readline bug. It does not happen in xterm. It does not happen when
> using pipes or backticks to get the input. It only happens in M-x
> shell... when one gives lines longer than ~4096 characters.

> Actually it is not buffer overflow, but buffer truncation, with NO
> WARNING to the user. One day the wrong file will get removed via this
> mess.

> In GNU Emacs 24.0.50.1 (i486-pc-linux-gnu, GTK+ Version 2.20.0)
>  of 2010-05-01 on elegiac, modified by Debian
>  (emacs-snapshot package, version 1:20100501-1)

Thanks for this nice test case.
It appears it was a silly mistake (code placed in the wrong side of
a #if).  I've installed the patch below which should fix it,


        Stefan


=== modified file 'src/sysdep.c'
--- src/sysdep.c	2010-05-04 07:40:53 +0000
+++ src/sysdep.c	2010-06-01 01:40:00 +0000
@@ -537,15 +537,6 @@
   s.main.c_cflag = (s.main.c_cflag & ~CBAUD) | B9600; /* baud rate sanity */
 #endif /* AIX */
 
-#else /* not HAVE_TERMIO */
-
-  s.main.sg_flags &= ~(ECHO | CRMOD | ANYP | ALLDELAY | RAW | LCASE
-		       | CBREAK | TANDEM);
-  s.main.sg_flags |= LPASS8;
-  s.main.sg_erase = 0377;
-  s.main.sg_kill = 0377;
-  s.lmode = LLITOUT | s.lmode;        /* Don't strip 8th bit */
-
   /* We used to enable ICANON (and set VEOF to 04), but this leads to
      problems where process.c wants to send EOFs every once in a while
      to force the output, which leads to weird effects when the
@@ -558,6 +549,15 @@
   s.main.c_cc[VMIN] = 1;
   s.main.c_cc[VTIME] = 0;
 
+#else /* not HAVE_TERMIO */
+
+  s.main.sg_flags &= ~(ECHO | CRMOD | ANYP | ALLDELAY | RAW | LCASE
+		       | CBREAK | TANDEM);
+  s.main.sg_flags |= LPASS8;
+  s.main.sg_erase = 0377;
+  s.main.sg_kill = 0377;
+  s.lmode = LLITOUT | s.lmode;        /* Don't strip 8th bit */
+
 #endif /* not HAVE_TERMIO */
 
   EMACS_SET_TTY (out, &s, 0);





Information forwarded to owner <at> debbugs.gnu.org, bug-gnu-emacs@HIDDEN:
bug#6149; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 10 May 2010 04:16:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 10 00:16:51 2010
Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1OBKQF-0000mY-AO
	for submit <at> debbugs.gnu.org; Mon, 10 May 2010 00:16:51 -0400
Received: from mx10.gnu.org ([199.232.76.166])
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <jidanni@HIDDEN>) id 1OBKP5-0000m5-HC
	for submit <at> debbugs.gnu.org; Mon, 10 May 2010 00:16:50 -0400
Received: from lists.gnu.org ([199.232.76.165]:40976)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <jidanni@HIDDEN>) id 1OBKOq-0003iR-Qp
	for submit <at> debbugs.gnu.org; Mon, 10 May 2010 00:15:24 -0400
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1OBKOp-0008Ho-PJ
	for bug-gnu-emacs@HIDDEN; Mon, 10 May 2010 00:15:23 -0400
Received: from [140.186.70.92] (port=57086 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OBKOi-0008A7-9y
	for bug-gnu-emacs@HIDDEN; Mon, 10 May 2010 00:15:23 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_MIME_NO_TEXT,
	T_TVD_MIME_NO_HEADERS autolearn=unavailable version=3.3.1
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <jidanni@HIDDEN>) id 1OBKOS-0004Dg-FC
	for bug-gnu-emacs@HIDDEN; Mon, 10 May 2010 00:15:05 -0400
Received: from caiajhbdcahe.dreamhost.com ([208.97.132.74]:40434
	helo=homiemail-a14.g.dreamhost.com)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <jidanni@HIDDEN>) id 1OBKOS-0004DP-9J
	for bug-gnu-emacs@HIDDEN; Mon, 10 May 2010 00:15:00 -0400
Received: from jidanni.org (218-163-3-173.dynamic.hinet.net [218.163.3.173])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: jidanni@HIDDEN)
	by homiemail-a14.g.dreamhost.com (Postfix) with ESMTPSA id 5C2BB8C06A
	for <bug-gnu-emacs@HIDDEN>; Sun,  9 May 2010 21:14:57 -0700 (PDT)
From: jidanni@HIDDEN
To: bug-gnu-emacs@HIDDEN
Subject: 24.0.50; shell buffer overflow when input longer than 4096 bytes
Date: Mon, 10 May 2010 12:14:54 +0800
Message-ID: <87aas81jgh.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6,
	seldom 2.4 (older, 4)
X-Spam-Score: -5.3 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/pipermail/debbugs-submit>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces <at> debbugs.gnu.org
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
X-Spam-Score: -5.3 (-----)

--=-=-=

This is a serious bug in M-x shell. It is not a bash or dash bug. It is
not a readline bug. It does not happen in xterm. It does not happen when
using pipes or backticks to get the input. It only happens in M-x
shell... when one gives lines longer than ~4096 characters.

Actually it is not buffer overflow, but buffer truncation, with NO
WARNING to the user. One day the wrong file will get removed via this
mess.

In GNU Emacs 24.0.50.1 (i486-pc-linux-gnu, GTK+ Version 2.20.0)
 of 2010-05-01 on elegiac, modified by Debian
 (emacs-snapshot package, version 1:20100501-1)


--=-=-=
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=input_truncation.txt.gz
Content-Transfer-Encoding: base64
Content-Description: buffer truncation

H4sICIKG50sAA2lucHV0X3RydW5jYXRpb24udHh0AO1YyW7jOBC991f0YeYUkBCpxfLXGJREK5xQ
opqkbHdjkG+fKsoLtbg754EPQZCwVNt7tZB/fZf1u/muVT9eiFZVTRp5OnBa0DQl7FNeBmlVJ3sv
NM0PKi0L2sgK5Kvz+UzgUB9yWqY5YQeh9e0MpLWpOehJaPrZKs8TliR5UoBYrKMzv/5xaXNgdE85
zT6rUemGk3QmVIu+ktYK0vqP5JBQni203AQ2Dys9Sm+Mf08PGS1Swh+nR2W7s7CSTNEfrZRPI78F
d343ykHIENfMjPuhlZcpSQ4paOApZbGl2poeDpJBM8JYEn+JllUnWkmupjkpyuIrCOCXlXB/9vke
p5VCe/kR0hTB9XDhbpm/8d0svnfvB+KkPUlLnOoGLSfwE5qlc+zbERhEGE0gFyyfJRxPnQcvOtAy
6LFVvQshJJShOP6ifL9A8P7JH6SE0ztgUg6pXxz1ppPkToQdhJgm4N9CSho1MFCQ0d1nJb1I35qj
a2OpBWF60wfOzNI5l5mf1YMyYJwxkj2UVq7pBMh6pd2hBGKxyOJgTT24A/s7FSlUSEn2v+EOJ3mE
IGFR5hGTDTTw3yuUGnU8Tt5MZmeJgh8lrs6iR4sq6KpaK+DfgYdPc8o/QxLnZs9XqeT3Yq7RjPLJ
IoEcAjaQvIwUc9z8Bw9k45Qna+yn09p0HZTgXSTmq1CalU++hp+78pymm8T6kD+t6ttkotVMRW2s
vAGbz9I4fLQQDsvpji76lTHOE2Um0jugIzhwmH4tGuMgOtKZZtTSoS4wPT+/8CIj+zTAmFB36kMX
ztieJHThS+j6d3+i7IgT+p8nhzwogeJ6uyviO1CUzDNiOqihDOSSBZi6EQPQNCM4FTLKl6k2tgZt
WajvLIjNqGDGAT9mG0l2P91J9Qo4R8uyccf406pqKvykiDA/mt7XULqqJdMv/BD9jSJv8QQ9TYFz
C09DvkLzWyXs5gqZQN9wCMfVaHV62E1845t8a4QXD8rFZIXS045jje+xG7IFIcAtFrjAs9nJScM0
hp5MZxN4+OnfTQ9jYTDWV2MLwLE4C9M5B+p2EFUnNJjN4a9innxi6yjUewpB7dSK1rRN2jVhsdVB
I9TYViDl+5WbbhzQzxBGeTfzY2iO2FPn9TU62C1G6ENAUEj0XRrBcbVVg3+Gjjgdje2Ez/lXKV/X
LJTYJuvFIOqPtD2GZslIOTtF39O180/xwORBY8BM5ewr7nXQOEMBAE3jXIvBKw/NH9JTBL8irz/C
FngdAKi+XPLfdkT1Xmo2VfIy5ql2YMRtVo8Xrkfc+ZyKANhkErDdzVooVMtGsTyKOKrepZdWNNL0
z9wEnL0VfbpuVwIGdRMwxQV2uVGCZr6t8nhUOa55dL84gPLDUbBRgsAeAvanRW6LQY9A2ZNIA2Db
UOGEsFAGsBPeCy4ik3PvCA+O1XzxpfNN/fZWbLrkzq4WWn51JoR+R6bOtd32zCB7K84sVOsyhtHL
bvCw/YUI8nkzwQ3orIHlfUtgRtg6bGN0P61u8ZJbWXdqebQIFPNxPgGR3YDIVrDXBLY6hxBCxydR
iOHSQqRzsNEo6JGMLW5Kk2W+YXS95DixueXEcd42zO1IsYU+tjfQFARYrG6wynWcQMnddUFBO7y0
STvXukGJkCVcF9ZJAoUhfdDrCF6BonEakruZ1x8+I5dOH7LQQqEdxWZ76WvhCRIEMgWpKffxcT0M
23qr60JNGlNPq10OaZ3WnzIaqcoZoEQjcZllxXzWomNNNbptz24WtrQvw4MozsZ+bCu6ygBHnp7H
HNmgx7QDEuGcAhDD0AMOPiq9ld7LS/g3tNb5Mv8uNewMUJYwavZx9Hce8edEQtdOPTaQAiwub0tI
Byu13GSE/zXtOJA0FeNxBi9hs1nd7mSrsbGE9TDBBWG5ODHSSSdIqy8QTLmxyY+TxPoU0LkVfeQI
DFnoPMHBhPOMRCXdvr1docrm5Xy5XpAvxrZQUcPoifvZ47CtXcBt5TbcpHG9xzWpfNrZnpTkhjV5
Cnt8wAtTPscKq0joaVlhSJFdvr7R3PfLcj6otGmt8cIjlpDCWDXesYjs4TYvb11neZe6pnMqx0dK
Y74NqYZLPr6f7Eu8B9DVM8mtAaKSzd43GGhMFU7LMGhZ8SiBEBeBol1H5mQD2OMWFD15/Pv9XH97
vYq9XsVer2KvV7EwK1+vYo9Z+noVe72KvV7FXq9ir1ex16vYQ/PrVez1KvZ6FXu9iv0PXsW+/Qem
/j/+GCMAAA==
--=-=-=--





Acknowledgement sent to jidanni@HIDDEN:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to owner <at> debbugs.gnu.org, bug-gnu-emacs@HIDDEN:
bug#6149; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 28 Sep 2018 20:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.