[debbugs-tracker] bug#24118: closed (25.1; [PATCH] Fix a possible crash caused by mapcar1)

[GNU bug Tracking System]

Your message dated Tue, 2 Aug 2016 18:15:53 -0700
with message-id <address@hidden>
and subject line Re: 25.1; [PATCH] Fix a possible crash caused by mapcar1
has caused the debbugs.gnu.org bug report #24118,
regarding 25.1; [PATCH] Fix a possible crash caused by mapcar1
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
24118: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24118
GNU Bug Tracking System
Contact address@hidden with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> 25.1; [PATCH] Fix a possible crash caused by mapcar1
>
>
>
>
> Date: 
>
> Sun, 31 Jul 2016 20:46:50 +0800
>
>
>
>
> Processing a list with `mapcar' or `mapconcat' can be terminated early
> when the list is tampered (as shown in the following example), and as a
> result we'll be dealing with uninitialized memory which will likely
> trigger a crash.
>
>   (setq a (make-list 10 0))
>   (mapcar (lambda (_)
>             (setcdr a nil))
>           a)
>
> Chris
>
> ---
>
> * src/fns.c (mapcar1): Check and reset uninitialized list elements.
> ---
>  src/fns.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/src/fns.c b/src/fns.c
> index d5a1f74..1804bce 100644
> --- a/src/fns.c
> +++ b/src/fns.c
> @@ -2524,6 +2524,10 @@ mapcar1 (EMACS_INT leni, Lisp_Object *vals, Lisp_Object 
> fn, Lisp_Object seq)
>             vals[i] = dummy;
>           tail = XCDR (tail);
>         }
> +
> +      /* In case the list was tampered and the loop terminated early. */
> +      if (i < leni)
> +        memclear (vals + i, (leni - i) * word_size);
>      }
>  }
>  
> -- 
> 2.8.1
>
>
>
>
> --- End Message ---

--- Begin Message --- Subject: Re: 25.1; [PATCH] Fix a possible crash caused by mapcar1 Date: Tue, 2 Aug 2016 18:15:53 -0700 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 Thanks for the bug report. I installed the attached more-adventurous patch, which truncates the result rather than extending it with nils. This seems a bit more appropriate anyway.

Although it no longer matters for this patch, memclear is specified to store nil values regardless of how nil is represented. Of course memclear's current implementation assumes Qnil is zero, and memclear can't be portably and easily implemented if we merely change Qnil to be nonzero, but that's a bridge we don't have to cross unless we change Qnil to be nonzero.

0001-Fix-mapcar-F-S-crash-when-F-alters-S-s-length.txt
Description: Text document

--- End Message ---