Fix array bounds violation when pty allocation fails.

* configure.ac (PTY_TTY_NAME_SPRINTF): Use PTY_NAME_SIZE, not sizeof pty_name, since pty_name is now a pointer to the array. * src/process.c (PTY_NAME_SIZE): New constant. (pty_name): Remove static variable; it's now auto. (allocate_pty): Define even if !HAVE_PTYS; that's simpler. Take pty_name as an arg rather than using a static variable. All callers changed. (create_process): Recover pty_flag from process, not from volatile local. (create_pty): Stay inside array even when pty allocation fails. (Fmake_serial_process): Omit unnecessary initializaiton of pty_flag.
author: Paul Eggert 2013-07-20 08:33:00 -0700
committer: Paul Eggert 2013-07-20 08:33:00 -0700
commit: 6496aec9e948e0e5e6646aff408391d78f3516cc (patch)
tree: d3e3afc92e5189ef1b1a8d2814965f003c13f96f /src/process.c
parent: b2a069c2f80cb2fdd683f5e044642b058c4d2326 (diff)
download: emacs-6496aec9e948e0e5e6646aff408391d78f3516cc.tar.gz
emacs-6496aec9e948e0e5e6646aff408391d78f3516cc.zip
1 files changed, 38 insertions, 49 deletions
diff --git a/src/process.c b/src/process.c
index f4ae662468b..12035da7b58 100644
--- a/src/process.c
+++ b/src/process.c
@@ -640,19 +640,16 @@ status_message (struct Lisp_Process *p)
    return Fcopy_sequence (Fsymbol_name (symbol));
 }
-#ifdef HAVE_PTYS
+enum { PTY_NAME_SIZE = 24 };
-/* The file name of the pty opened by allocate_pty.  */
-static char pty_name[24];
 /* Open an available pty, returning a file descriptor.
-   Return -1 on failure.
+   Store into PTY_NAME the file name of the terminal corresponding to the pty.
-   The file name of the terminal corresponding to the pty
+   Return -1 on failure.  */
-   is left in the variable pty_name.  */
 static int
-allocate_pty (void)
+allocate_pty (char pty_name[PTY_NAME_SIZE])
 {
+#ifdef HAVE_PTYS
  int fd;
 #ifdef PTY_ITERATION
@@ -697,9 +694,9 @@ allocate_pty (void)
            return fd;
          }
      }
+#endif /* HAVE_PTYS */
  return -1;
 }
-#endif /* HAVE_PTYS */
 static Lisp_Object
 make_process (Lisp_Object name)
@@ -1621,14 +1618,14 @@ create_process (Lisp_Object process, char **new_argv, Lisp_Object current_dir)
 #endif
  int forkin, forkout;
  bool pty_flag = 0;
+  char pty_name[PTY_NAME_SIZE];
  Lisp_Object lisp_pty_name = Qnil;
  Lisp_Object encoded_current_dir;
  inchannel = outchannel = -1;
-#ifdef HAVE_PTYS
  if (!NILP (Vprocess_connection_type))
-    outchannel = inchannel = allocate_pty ();
+    outchannel = inchannel = allocate_pty (pty_name);
  if (inchannel >= 0)
    {
@@ -1647,7 +1644,6 @@ create_process (Lisp_Object process, char **new_argv, Lisp_Object current_dir)
      lisp_pty_name = build_string (pty_name);
    }
  else
-#endif /* HAVE_PTYS */
    {
      if (emacs_pipe (sv) != 0)
        report_file_error ("Creating pipe", Qnil);
@@ -1704,7 +1700,6 @@ create_process (Lisp_Object process, char **new_argv, Lisp_Object current_dir)
    Lisp_Object volatile encoded_current_dir_volatile = encoded_current_dir;
    Lisp_Object volatile lisp_pty_name_volatile = lisp_pty_name;
    Lisp_Object volatile process_volatile = process;
-    bool volatile pty_flag_volatile = pty_flag;
    char **volatile new_argv_volatile = new_argv;
    int volatile forkin_volatile = forkin;
    int volatile forkout_volatile = forkout;
@@ -1716,12 +1711,13 @@ create_process (Lisp_Object process, char **new_argv, Lisp_Object current_dir)
    encoded_current_dir = encoded_current_dir_volatile;
    lisp_pty_name = lisp_pty_name_volatile;
    process = process_volatile;
-    pty_flag = pty_flag_volatile;
    new_argv = new_argv_volatile;
    forkin = forkin_volatile;
    forkout = forkout_volatile;
    wait_child_setup[0] = wait_child_setup_0_volatile;
    wait_child_setup[1] = wait_child_setup_1_volatile;
+    pty_flag = XPROCESS (process)->pty_flag;
  }
  if (pid == 0)
@@ -1791,15 +1787,15 @@ create_process (Lisp_Object process, char **new_argv, Lisp_Object current_dir)
      if (pty_flag)
        {
-          /* I wonder if emacs_close (emacs_open (pty_name, ...))
+          /* I wonder if emacs_close (emacs_open (SSDATA (lisp_pty_name), ...))
             would work?  */
          if (xforkin >= 0)
            emacs_close (xforkin);
-          xforkout = xforkin = emacs_open (pty_name, O_RDWR, 0);
+          xforkout = xforkin = emacs_open (SSDATA (lisp_pty_name), O_RDWR, 0);
          if (xforkin < 0)
            {
-              emacs_perror (pty_name);
+              emacs_perror (SSDATA (lisp_pty_name));
              _exit (EXIT_CANCELED);
            }
@@ -1899,17 +1895,16 @@ create_process (Lisp_Object process, char **new_argv, Lisp_Object current_dir)
    }
 }
-void
+static void
 create_pty (Lisp_Object process)
 {
+  char pty_name[PTY_NAME_SIZE];
  int inchannel, outchannel;
-  bool pty_flag = 0;
  inchannel = outchannel = -1;
-#ifdef HAVE_PTYS
  if (!NILP (Vprocess_connection_type))
-    outchannel = inchannel = allocate_pty ();
+    outchannel = inchannel = allocate_pty (pty_name);
  if (inchannel >= 0)
    {
@@ -1928,40 +1923,34 @@ create_pty (Lisp_Object process)
      child_setup_tty (forkout);
 #endif /* DONT_REOPEN_PTY */
 #endif /* not USG, or USG_SUBTTY_WORKS */
-      pty_flag = 1;
-    }
-#endif /* HAVE_PTYS */
-  fcntl (inchannel, F_SETFL, O_NONBLOCK);
+      fcntl (inchannel, F_SETFL, O_NONBLOCK);
-  fcntl (outchannel, F_SETFL, O_NONBLOCK);
+      fcntl (outchannel, F_SETFL, O_NONBLOCK);
-  /* Record this as an active process, with its channels.
+      /* Record this as an active process, with its channels.
-     As a result, child_setup will close Emacs's side of the pipes.  */
+         As a result, child_setup will close Emacs's side of the pipes.  */
-  chan_process[inchannel] = process;
+      chan_process[inchannel] = process;
-  XPROCESS (process)->infd = inchannel;
+      XPROCESS (process)->infd = inchannel;
-  XPROCESS (process)->outfd = outchannel;
+      XPROCESS (process)->outfd = outchannel;
-  /* Previously we recorded the tty descriptor used in the subprocess.
+      /* Previously we recorded the tty descriptor used in the subprocess.
-     It was only used for getting the foreground tty process, so now
+         It was only used for getting the foreground tty process, so now
-     we just reopen the device (see emacs_get_tty_pgrp) as this is
+         we just reopen the device (see emacs_get_tty_pgrp) as this is
-     more portable (see USG_SUBTTY_WORKS above).  */
+         more portable (see USG_SUBTTY_WORKS above).  */
-  XPROCESS (process)->pty_flag = pty_flag;
+      XPROCESS (process)->pty_flag = 1;
-  pset_status (XPROCESS (process), Qrun);
+      pset_status (XPROCESS (process), Qrun);
-  setup_process_coding_systems (process);
+      setup_process_coding_systems (process);
-  FD_SET (inchannel, &input_wait_mask);
+      FD_SET (inchannel, &input_wait_mask);
-  FD_SET (inchannel, &non_keyboard_wait_mask);
+      FD_SET (inchannel, &non_keyboard_wait_mask);
-  if (inchannel > max_process_desc)
+      if (inchannel > max_process_desc)
-    max_process_desc = inchannel;
+        max_process_desc = inchannel;
+      pset_tty_name (XPROCESS (process), build_string (pty_name));
+    }
  XPROCESS (process)->pid = -2;
-#ifdef HAVE_PTYS
-  if (pty_flag)
-    pset_tty_name (XPROCESS (process), build_string (pty_name));
-  else
-#endif
-    pset_tty_name (XPROCESS (process), Qnil);
 }
@@ -2589,7 +2578,7 @@ usage:  (make-serial-process &rest ARGS)  */)
    p->kill_without_query = 1;
  if (tem = Fplist_get (contact, QCstop), !NILP (tem))
    pset_command (p, Qt);
-  p->pty_flag = 0;
+  eassert (! p->pty_flag);
  if (!EQ (p->command, Qt))
    {
author	Paul Eggert	2013-07-20 08:33:00 -0700
committer	Paul Eggert	2013-07-20 08:33:00 -0700
commit	6496aec9e948e0e5e6646aff408391d78f3516cc (patch)
tree	d3e3afc92e5189ef1b1a8d2814965f003c13f96f /src/process.c
parent	b2a069c2f80cb2fdd683f5e044642b058c4d2326 (diff)
download	emacs-6496aec9e948e0e5e6646aff408391d78f3516cc.tar.gz emacs-6496aec9e948e0e5e6646aff408391d78f3516cc.zip