[Emacs-diffs] /srv/bzr/emacs/trunk r103031: make-docfile: don't corrupt

emacs-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Emacs-diffs] /srv/bzr/emacs/trunk r103031: make-docfile: don't corrupt

From:	Jim Meyering
Subject:	[Emacs-diffs] /srv/bzr/emacs/trunk r103031: make-docfile: don't corrupt heap for an invalid .elc file
Date:	Sun, 30 Jan 2011 10:17:36 +0100
User-agent:	Bazaar (2.0.3)

------------------------------------------------------------
revno: 103031
committer: Jim Meyering <address@hidden>
branch nick: trunk
timestamp: Sun 2011-01-30 10:17:36 +0100
message:
  make-docfile: don't corrupt heap for an invalid .elc file
modified:
  lib-src/ChangeLog
  lib-src/make-docfile.c

=== modified file 'lib-src/ChangeLog'
--- a/lib-src/ChangeLog 2011-01-29 12:36:11 +0000
+++ b/lib-src/ChangeLog 2011-01-30 09:17:36 +0000
@@ -1,3 +1,11 @@
+2011-01-30  Jim Meyering  <address@hidden>
+
+       make-docfile: don't corrupt heap for an invalid .elc file
+       "printf 'address@hidden' > in.elc; ./make-docfile in.elc" would store 0
+       one byte before just-malloc'd saved_string buffer.
+       * make-docfile.c (scan_lisp_file): Diagnose an invalid dynamic
+       doc string length.  Also fix an always-false while-loop test.
+
 2011-01-29  Eli Zaretskii  <address@hidden>
 
        * makefile.w32-in (LOCAL_FLAGS): Add -I../lib.

=== modified file 'lib-src/make-docfile.c'
--- a/lib-src/make-docfile.c    2011-01-25 04:08:28 +0000
+++ b/lib-src/make-docfile.c    2011-01-30 09:17:36 +0000
@@ -873,8 +873,8 @@
          c = getc (infile);
          if (c == '@')
            {
-             int length = 0;
-             int i;
+             size_t length = 0;
+             size_t i;
 
              /* Read the length.  */
              while ((c = getc (infile),
@@ -884,6 +884,12 @@
                  length += c - '0';
                }
 
+             if (length <= 1)
+               fatal ("invalid dynamic doc string length", "");
+
+             if (c != ' ')
+               fatal ("space not found after dynamic doc string length", "");
+
              /* The next character is a space that is counted in the length
                 but not part of the doc string.
                 We already read it, so just ignore it.  */
@@ -899,7 +905,7 @@
                 but it is redundant in DOC.  So get rid of it here.  */
              saved_string[length - 1] = 0;
              /* Skip the line break.  */
-             while (c == '\n' && c == '\r')
+             while (c == '\n' || c == '\r')
                c = getc (infile);
              /* Skip the following line.  */
              while (c != '\n' && c != '\r')

[Prev in Thread]

Current Thread

[Next in Thread]

[Emacs-diffs] /srv/bzr/emacs/trunk r103031: make-docfile: don't corrupt heap for an invalid .elc file, Jim Meyering <=

Prev by Date: [Emacs-diffs] /srv/bzr/emacs/trunk r103030: nnmail.el (nnmail-article-group): A better test for fanciness.
Next by Date: [Emacs-diffs] /srv/bzr/emacs/trunk r103033: * .gdbinit: Read global lisp variables as globals.f_V*.
Previous by thread: [Emacs-diffs] /srv/bzr/emacs/trunk r103030: nnmail.el (nnmail-article-group): A better test for fanciness.
Next by thread: [Emacs-diffs] /srv/bzr/emacs/trunk r103033: * .gdbinit: Read global lisp variables as globals.f_V*.
Index(es):
- Date
- Thread