diff options
| author | Jim Meyering | 2011-01-30 10:17:36 +0100 |
|---|---|---|
| committer | Jim Meyering | 2011-01-30 10:17:36 +0100 |
| commit | 8aec9916dd8213e2efc77ec32cb57256e1f332be (patch) | |
| tree | 2de47f2c35a4c92f4882522f5c26d8b987f949f1 /lib-src | |
| parent | 7920f982949ff41796a9be16e8cce5e797e6caa9 (diff) | |
| download | emacs-8aec9916dd8213e2efc77ec32cb57256e1f332be.tar.gz emacs-8aec9916dd8213e2efc77ec32cb57256e1f332be.zip | |
make-docfile: don't corrupt heap for an invalid .elc file
Diffstat (limited to 'lib-src')
| -rw-r--r-- | lib-src/ChangeLog | 8 | ||||
| -rw-r--r-- | lib-src/make-docfile.c | 12 |
2 files changed, 17 insertions, 3 deletions
diff --git a/lib-src/ChangeLog b/lib-src/ChangeLog index bc76c253ab3..6428819daa3 100644 --- a/lib-src/ChangeLog +++ b/lib-src/ChangeLog | |||
| @@ -1,3 +1,11 @@ | |||
| 1 | 2011-01-30 Jim Meyering <meyering@redhat.com> | ||
| 2 | |||
| 3 | make-docfile: don't corrupt heap for an invalid .elc file | ||
| 4 | "printf '#@1a' > in.elc; ./make-docfile in.elc" would store 0 | ||
| 5 | one byte before just-malloc'd saved_string buffer. | ||
| 6 | * make-docfile.c (scan_lisp_file): Diagnose an invalid dynamic | ||
| 7 | doc string length. Also fix an always-false while-loop test. | ||
| 8 | |||
| 1 | 2011-01-29 Eli Zaretskii <eliz@gnu.org> | 9 | 2011-01-29 Eli Zaretskii <eliz@gnu.org> |
| 2 | 10 | ||
| 3 | * makefile.w32-in (LOCAL_FLAGS): Add -I../lib. | 11 | * makefile.w32-in (LOCAL_FLAGS): Add -I../lib. |
diff --git a/lib-src/make-docfile.c b/lib-src/make-docfile.c index 0872f9728a2..8addbda0489 100644 --- a/lib-src/make-docfile.c +++ b/lib-src/make-docfile.c | |||
| @@ -873,8 +873,8 @@ scan_lisp_file (const char *filename, const char *mode) | |||
| 873 | c = getc (infile); | 873 | c = getc (infile); |
| 874 | if (c == '@') | 874 | if (c == '@') |
| 875 | { | 875 | { |
| 876 | int length = 0; | 876 | size_t length = 0; |
| 877 | int i; | 877 | size_t i; |
| 878 | 878 | ||
| 879 | /* Read the length. */ | 879 | /* Read the length. */ |
| 880 | while ((c = getc (infile), | 880 | while ((c = getc (infile), |
| @@ -884,6 +884,12 @@ scan_lisp_file (const char *filename, const char *mode) | |||
| 884 | length += c - '0'; | 884 | length += c - '0'; |
| 885 | } | 885 | } |
| 886 | 886 | ||
| 887 | if (length <= 1) | ||
| 888 | fatal ("invalid dynamic doc string length", ""); | ||
| 889 | |||
| 890 | if (c != ' ') | ||
| 891 | fatal ("space not found after dynamic doc string length", ""); | ||
| 892 | |||
| 887 | /* The next character is a space that is counted in the length | 893 | /* The next character is a space that is counted in the length |
| 888 | but not part of the doc string. | 894 | but not part of the doc string. |
| 889 | We already read it, so just ignore it. */ | 895 | We already read it, so just ignore it. */ |
| @@ -899,7 +905,7 @@ scan_lisp_file (const char *filename, const char *mode) | |||
| 899 | but it is redundant in DOC. So get rid of it here. */ | 905 | but it is redundant in DOC. So get rid of it here. */ |
| 900 | saved_string[length - 1] = 0; | 906 | saved_string[length - 1] = 0; |
| 901 | /* Skip the line break. */ | 907 | /* Skip the line break. */ |
| 902 | while (c == '\n' && c == '\r') | 908 | while (c == '\n' || c == '\r') |
| 903 | c = getc (infile); | 909 | c = getc (infile); |
| 904 | /* Skip the following line. */ | 910 | /* Skip the following line. */ |
| 905 | while (c != '\n' && c != '\r') | 911 | while (c != '\n' && c != '\r') |