Re: Problem report #85 RESOLVED

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem report #85 RESOLVED

From:	Kenichi Handa
Subject:	Re: Problem report #85 RESOLVED
Date:	Thu, 11 May 2006 13:14:59 +0900
User-agent:	SEMI/1.14.3 (Ushinoya) FLIM/1.14.2 (Yagi-Nishiguchi) APEL/10.2 Emacs/22.0.50 (i686-pc-linux-gnu) MULE/5.0 (SAKAKI)

In article <address@hidden>, Dan Nicolaescu <address@hidden> writes:

> CID: 85
> Checker: USE_AFTER_FREE (help)
> File: base/src/emacs/src/fileio.c
> Function: Finsert_file_contents
> Description: Using freed pointer "conversion_buffer"

> Event freed_arg: Pointer "conversion_buffer" freed by function "xfree" [model]
> Also see events: [double_free][double_free][use_after_free][use_after_free]

> 4326            xfree (conversion_buffer);
> 4327            coding_free_composition_data (&coding);

> At conditional (1): "how_much == -1" taking false path

> 4328            if (how_much == -1)
> 4329              error ("IO error reading %s: %s",
> 4330                     SDATA (orig_filename), emacs_strerror (errno));

> At conditional (2): "how_much == -2" taking false path

> 4331            else if (how_much == -2)
> 4332              error ("maximum buffer size exceeded");
> 4333          }

This part of the code is surely suspicious.  Now the
relevant code is this:

      /* At this point, INSERTED is how many characters (i.e. bytes)
         are present in CONVERSION_BUFFER.
         HOW_MUCH should equal TOTAL,
         or should be <= 0 if we couldn't read the file.  */

      if (how_much < 0)
        {
          xfree (conversion_buffer);
          coding_free_composition_data (&coding);
          if (how_much == -1)
            error ("IO error reading %s: %s",
                   SDATA (orig_filename), emacs_strerror (errno));
          else if (how_much == -2)
            error ("maximum buffer size exceeded");
        }

I think we must always signal an error if how_mach < 0.
And, I see no code setting how_much to -2 before there.
how_mach is set to negative only if emacs_read returned a
negative value.  In addition, we don't have to check
exceeding of buffer size here (it's done in insert_1) later.
So, I've just installed this change.

2006-05-11  Kenichi Handa  <address@hidden>

        * fileio.c (Finsert_file_contents): Fix for the case of IO error
        while handling replace operation.

*** fileio.c    08 May 2006 13:13:09 +0900      1.564
--- fileio.c    11 May 2006 13:07:04 +0900      
***************
*** 4325,4335 ****
        {
          xfree (conversion_buffer);
          coding_free_composition_data (&coding);
!         if (how_much == -1)
!           error ("IO error reading %s: %s",
!                  SDATA (orig_filename), emacs_strerror (errno));
!         else if (how_much == -2)
!           error ("maximum buffer size exceeded");
        }
  
        /* Compare the beginning of the converted file
--- 4325,4332 ----
        {
          xfree (conversion_buffer);
          coding_free_composition_data (&coding);
!         error ("IO error reading %s: %s",
!                SDATA (orig_filename), emacs_strerror (errno));
        }
  
        /* Compare the beginning of the converted file

---
Kenichi Handa
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

Problem report #85, Dan Nicolaescu, 2006/05/10
- Re: Problem report #85 RESOLVED, Kenichi Handa <=
- Re: Problem report #85, Jan Djärv, 2006/05/11

Prev by Date: Re: [NT] Problem with `man' function
Next by Date: Re: vc-darcs.el, where it is ?
Previous by thread: Problem report #85
Next by thread: Re: Problem report #85
Index(es):
- Date
- Thread