emacs-unicode: crash in char

emacs-pretest-bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

emacs-unicode: crash in char_string()

From:	Lawrence Mitchell
Subject:	emacs-unicode: crash in char_string()
Date:	Wed, 11 Apr 2007 12:31:08 +0100
User-agent:	Gnus/5.11 (Gnus v5.11) Emacs/23.0.0 (gnu/linux)

In GNU Emacs 23.0.0.3 (i686-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
 of 2007-04-02 on lamacq.ph.ed.ac.uk
Windowing system distributor `The X.Org Foundation', version 11.0.60802000
configured using `configure  '--enable-font-backend' '--with-xft' 
'--prefix=/scratch/s0198183/applications/emacs-unicode''


If called with a negative number as an argument, functions such as
insert, char-to-string, and so forth will cause Emacs 23 to segfault
in char_string().

This may be reproduced as follows:

emacs -Q

M-: (char-to-string -1) RET

The crash occurs in char_string().  This is due to assuming the first
(character) argument is positive.  If this is not the case, the code
does

  if (c <= MAX_3_BYTE_CHAR)
    {
      bytes = CHAR_STRING (c, p);
    }

Since c is negative, this code path is taken and the CHAR_STRING() macro
is called.  CHAR_STRING(), however, compares the unsigned value of c,
rather than the signed value:

  ((unsigned) (c) <= MAX_3_BYTE_CHAR
  ...
   : char_string (c, p))

Since the unsigned value of c is bigger than MAX_3_BYTE_CHAR, the
false code path is taken, calling char_string() again.  This repeats
until we run out of stack, causing a segfault.

The fix is to check the type of c in char_string() to ensure that it
can represent a valid character:

Index: src/character.c
===================================================================
RCS file: /sources/emacs/emacs/src/Attic/character.c,v
retrieving revision 1.1.4.12
diff -c -r1.1.4.12 character.c
*** src/character.c     15 Feb 2007 11:27:15 -0000      1.1.4.12
--- src/character.c     11 Apr 2007 11:30:41 -0000
***************
*** 105,110 ****
--- 105,112 ----
  {
    int bytes;
  
+   CHECK_CHARACTER (make_number (c));
+   
    if (c & CHAR_MODIFIER_MASK)
      {
        /* As an non-ASCII character can't have modifier bits, we just


ChangeLog entry

2007-04-11  Lawrence Mitchell  <address@hidden>

        * character.c (char_string): Ensure that `c' is a valid character.


Cheers,

Lawrence
-- 
Lawrence Mitchell <address@hidden>

[Prev in Thread]

Current Thread

[Next in Thread]

emacs-unicode: crash in char_string(), Lawrence Mitchell <=

Prev by Date: Re: delete-trailing-whitespace misbehaves in scheme-mode
Next by Date: Re: Segfault in Emacs 23 when attempting to insert a negative integer (was: Re: infloop in skeleton-insert)
Previous by thread: Display problems with 'before-string in overlay
Next by thread: edebug-pop-to-buffer fails for dedicated windows
Index(es):
- Date
- Thread