From b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Sun, 7 Sep 2014 00:04:01 -0700 Subject: Use SAFE_ALLOCA etc. to avoid unbounded stack allocation. This follows up on the recent thread in emacs-devel on alloca; see: http://lists.gnu.org/archive/html/emacs-devel/2014-09/msg00042.html This patch also cleans up alloca-related glitches noted while examining the code looking for unbounded alloca. * alloc.c (listn): * callproc.c (init_callproc): Rewrite to avoid need for alloca. * buffer.c (mouse_face_overlay_overlaps) (report_overlay_modification): * buffer.h (GET_OVERLAYS_AT): * coding.c (make_subsidiaries): * doc.c (Fsnarf_documentation): * editfns.c (Fuser_full_name): * fileio.c (Ffile_name_directory, Fexpand_file_name) (search_embedded_absfilename, Fsubstitute_in_file_name): * fns.c (Fmake_hash_table): * font.c (font_vconcat_entity_vectors, font_update_drivers): * fontset.c (fontset_pattern_regexp, Ffontset_info): * frame.c (Fmake_terminal_frame, x_set_frame_parameters) (xrdb_get_resource, x_get_resource_string): * ftfont.c (ftfont_get_charset, ftfont_check_otf, ftfont_drive_otf): * ftxfont.c (ftxfont_draw): * image.c (xbm_load, xpm_load, jpeg_load_body): * keyboard.c (echo_add_key, menu_bar_items, tool_bar_items): * keymap.c (Fdescribe_buffer_bindings, describe_map): * lread.c (openp): * menu.c (digest_single_submenu, find_and_call_menu_selection) (find_and_return_menu_selection): * print.c (PRINTFINISH): * process.c (Fformat_network_address): * scroll.c (do_scrolling, do_direct_scrolling, scrolling_1): * search.c (search_buffer, Fmatch_data, Fregexp_quote): * sound.c (wav_play, au_play): * syntax.c (skip_chars): * term.c (tty_menu_activate, tty_menu_show): * textprop.c (get_char_property_and_overlay): * window.c (Fset_window_configuration): * xdisp.c (safe__call, next_overlay_change, vmessage) (compute_overhangs_and_x, draw_glyphs, note_mouse_highlight): * xfaces.c (face_at_buffer_position): * xmenu.c (x_menu_show): Use SAFE_ALLOCA etc. instead of plain alloca, since the allocation size isn't bounded. * callint.c (Fcall_interactively): Redo memory_full check so that it can be done at compile-time on some platforms. * coding.c (MAX_LOOKUP_MAX): New constant. (get_translation_table): Use it. * callproc.c (call_process): Use SAFE_NALLOCA instead of SAFE_ALLOCA, to catch integer overflows on size calculation. (exec_failed) [!DOS_NT]: New function. (child_setup) [!DOS_NT]: Use it. * editfns.c (Ftranspose_regions): Hoist USE_SAFE_ALLOC + SAFE_FREE out of 'if'. * editfns.c (check_translation): Allocate larger buffers on the heap. * eval.c (internal_lisp_condition_case): Check for MAX_ALLOCA overflow. * fns.c (sort_vector): Use SAFE_ALLOCA_LISP rather than Fmake_vector. (Fbase64_encode_region, Fbase64_decode_region): Avoid unnecessary calls to SAFE_FREE before 'error'. * buffer.c (mouse_face_overlay_overlaps): * editfns.c (Fget_pos_property, check_translation): * eval.c (Ffuncall): * font.c (font_unparse_xlfd, font_find_for_lface): * ftfont.c (ftfont_drive_otf): * keyboard.c (echo_add_key, read_decoded_event_from_main_queue) (menu_bar_items, tool_bar_items): * sound.c (Fplay_sound_internal): * xdisp.c (load_overlay_strings, dump_glyph_row): Use an ordinary auto buffer rather than alloca, since the allocation size is fixed and small. * ftfont.c: Include . (matching_prefix): New function. (get_adstyle_property): Use it, to avoid need for alloca. * keyboard.c (echo_add_key): * keymap.c (describe_map): Use ptrdiff_t, not int. * keyboard.c (echo_add_key): Prefer sizeof to strlen. * keymap.c (Fdescribe_buffer_bindings): Use SBYTES, not SCHARS, when counting bytes. * lisp.h (xlispstrdupa): Remove, replacing with ... (SAFE_ALLOCA_STRING): ... new macro with different API. This fixes a portability problem, namely, alloca result passed to another function. All uses changed. (SAFE_ALLOCA, SAFE_ALLOCA_LISP): Check for MAX_ALLOCA, not MAX_ALLOCA - 1. * regex.c (REGEX_USE_SAFE_ALLOCA, REGEX_SAFE_FREE) (REGEX_ALLOCATE): New macros. (REGEX_REALLOCATE, REGEX_ALLOCATE_STACK, REGEX_REALLOCATE_STACK) (REGEX_FREE_STACK, FREE_VARIABLES, re_match_2_internal): Use them. * xdisp.c (message3): Use SAFE_ALLOCA_STRING rather than doing it by hand. (decode_mode_spec_coding): Store directly into buf rather than into an alloca temporary and copying the temporary to the buf. Fixes: debbugs:18410 --- src/coding.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'src/coding.c') diff --git a/src/coding.c b/src/coding.c index 8b620af8695..84b774b4355 100644 --- a/src/coding.c +++ b/src/coding.c @@ -6867,6 +6867,11 @@ decode_eol (struct coding_system *coding) } +/* MAX_LOOKUP's maximum value. MAX_LOOKUP is an int and so cannot + exceed INT_MAX. Also, MAX_LOOKUP is multiplied by sizeof (int) for + alloca, so it cannot exceed MAX_ALLOCA / sizeof (int). */ +enum { MAX_LOOKUP_MAX = min (INT_MAX, MAX_ALLOCA / sizeof (int)) }; + /* Return a translation table (or list of them) from coding system attribute vector ATTRS for encoding (if ENCODEP) or decoding (if not ENCODEP). */ @@ -6919,7 +6924,7 @@ get_translation_table (Lisp_Object attrs, bool encodep, int *max_lookup) { val = XCHAR_TABLE (translation_table)->extras[1]; if (NATNUMP (val) && *max_lookup < XFASTINT (val)) - *max_lookup = XFASTINT (val); + *max_lookup = min (XFASTINT (val), MAX_LOOKUP_MAX); } else if (CONSP (translation_table)) { @@ -6931,7 +6936,7 @@ get_translation_table (Lisp_Object attrs, bool encodep, int *max_lookup) { Lisp_Object tailval = XCHAR_TABLE (XCAR (tail))->extras[1]; if (NATNUMP (tailval) && *max_lookup < XFASTINT (tailval)) - *max_lookup = XFASTINT (tailval); + *max_lookup = min (XFASTINT (tailval), MAX_LOOKUP_MAX); } } } @@ -10011,7 +10016,8 @@ make_subsidiaries (Lisp_Object base) { Lisp_Object subsidiaries; ptrdiff_t base_name_len = SBYTES (SYMBOL_NAME (base)); - char *buf = alloca (base_name_len + 6); + USE_SAFE_ALLOCA; + char *buf = SAFE_ALLOCA (base_name_len + 6); int i; memcpy (buf, SDATA (SYMBOL_NAME (base)), base_name_len); @@ -10021,6 +10027,7 @@ make_subsidiaries (Lisp_Object base) strcpy (buf + base_name_len, suffixes[i]); ASET (subsidiaries, i, intern (buf)); } + SAFE_FREE (); return subsidiaries; } -- cgit v1.2.1 From 4612d1eab721a1010312382d1048c8b3a67b18fa Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Sun, 7 Sep 2014 15:27:59 -0700 Subject: Fix bug uncovered by changing alloca to auto buffer. * coding.c (growable_destination): New function. (produce_chars): Use it for sanity checks. Do not fiddle with dst_end if the source and destination are both nil, as it's the caller's responsibility to avoid overlap. * keyboard.c (read_decoded_event_from_main_queue): The destination must be MAX_MULTIBYTE_LENGTH times the max source length, not 4 times, to prevent decode_coding_c_string from trying to reallocate a destination. This removes the need for the FIXME. Fixes: debbugs:18410 --- src/coding.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'src/coding.c') diff --git a/src/coding.c b/src/coding.c index 84b774b4355..ed107a297ba 100644 --- a/src/coding.c +++ b/src/coding.c @@ -690,6 +690,14 @@ CHECK_NATNUM_CDR (Lisp_Object x) XSETCDR (x, tmp); } +/* True if CODING's destination can be grown. */ + +static bool +growable_destination (struct coding_system *coding) +{ + return STRINGP (coding->dst_object) || BUFFERP (coding->dst_object); +} + /* Safely get one byte from the source text pointed by SRC which ends at SRC_END, and set C to that byte. If there are not enough bytes @@ -7019,8 +7027,10 @@ produce_chars (struct coding_system *coding, Lisp_Object translation_table, int *buf = coding->charbuf; int *buf_end = buf + coding->charbuf_used; - if (EQ (coding->src_object, coding->dst_object)) + if (EQ (coding->src_object, coding->dst_object) + && ! NILP (coding->dst_object)) { + eassert (growable_destination (coding)); coding_set_source (coding); dst_end = ((unsigned char *) coding->source) + coding->consumed; } @@ -7059,6 +7069,7 @@ produce_chars (struct coding_system *coding, Lisp_Object translation_table, if ((dst_end - dst) / MAX_MULTIBYTE_LENGTH < to_nchars) { + eassert (growable_destination (coding)); if (((min (PTRDIFF_MAX, SIZE_MAX) - (buf_end - buf)) / MAX_MULTIBYTE_LENGTH) < to_nchars) @@ -7103,7 +7114,10 @@ produce_chars (struct coding_system *coding, Lisp_Object translation_table, const unsigned char *src_end = src + coding->consumed; if (EQ (coding->dst_object, coding->src_object)) - dst_end = (unsigned char *) src; + { + eassert (growable_destination (coding)); + dst_end = (unsigned char *) src; + } if (coding->src_multibyte != coding->dst_multibyte) { if (coding->src_multibyte) @@ -7119,6 +7133,7 @@ produce_chars (struct coding_system *coding, Lisp_Object translation_table, ONE_MORE_BYTE (c); if (dst == dst_end) { + eassert (growable_destination (coding)); if (EQ (coding->src_object, coding->dst_object)) dst_end = (unsigned char *) src; if (dst == dst_end) @@ -7149,6 +7164,7 @@ produce_chars (struct coding_system *coding, Lisp_Object translation_table, if (dst >= dst_end - 1) { + eassert (growable_destination (coding)); if (EQ (coding->src_object, coding->dst_object)) dst_end = (unsigned char *) src; if (dst >= dst_end - 1) -- cgit v1.2.1 From 6846b0036a0ff938d93c2d4df0f177dab3e06623 Mon Sep 17 00:00:00 2001 From: Dmitry Antipov Date: Fri, 3 Oct 2014 08:35:10 +0400 Subject: Consistently use min and max macros from lisp.h. * coding.c (min, max): * font.c (MAX): * unexhp9k800.c (min): * unexw32.c (min, max): Use definitions from lisp.h. * regex.c (MAX, MIN) [!emacs]: Define own max and min as such. Adjust users. * gmalloc.c (min): Tiny style change. --- src/coding.c | 9 --------- 1 file changed, 9 deletions(-) (limited to 'src/coding.c') diff --git a/src/coding.c b/src/coding.c index ed107a297ba..0337c0df60e 100644 --- a/src/coding.c +++ b/src/coding.c @@ -642,15 +642,6 @@ static enum coding_category coding_priorities[coding_category_max]; Nth coding category. */ static struct coding_system coding_categories[coding_category_max]; -/*** Commonly used macros and functions ***/ - -#ifndef min -#define min(a, b) ((a) < (b) ? (a) : (b)) -#endif -#ifndef max -#define max(a, b) ((a) > (b) ? (a) : (b)) -#endif - /* Encode a flag that can be nil, something else, or t as -1, 0, 1. */ static int -- cgit v1.2.1 From 1943141cf64f1935ba745c0dab5508d26adc6837 Mon Sep 17 00:00:00 2001 From: Kenichi Handa Date: Sun, 5 Oct 2014 17:17:15 +0900 Subject: coding.c (detect_coding_iso_2022): Set coding->rejected correctly when an invalid escape sequence is found (Bug#18610). --- src/coding.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) (limited to 'src/coding.c') diff --git a/src/coding.c b/src/coding.c index 0337c0df60e..02e59286dc8 100644 --- a/src/coding.c +++ b/src/coding.c @@ -3073,8 +3073,13 @@ detect_coding_iso_2022 (struct coding_system *coding, ONE_MORE_BYTE (c1); if (c1 < ' ' || c1 >= 0x80 || (id = iso_charset_table[0][c >= ','][c1]) < 0) - /* Invalid designation sequence. Just ignore. */ - break; + { + /* Invalid designation sequence. Just ignore. */ + if (c1 >= 0x80) + rejected |= (CATEGORY_MASK_ISO_7BIT + | CATEGORY_MASK_ISO_7_ELSE); + break; + } } else if (c == '$') { @@ -3088,16 +3093,29 @@ detect_coding_iso_2022 (struct coding_system *coding, ONE_MORE_BYTE (c1); if (c1 < ' ' || c1 >= 0x80 || (id = iso_charset_table[1][c >= ','][c1]) < 0) - /* Invalid designation sequence. Just ignore. */ - break; + { + /* Invalid designation sequence. Just ignore. */ + if (c1 >= 0x80) + rejected |= (CATEGORY_MASK_ISO_7BIT + | CATEGORY_MASK_ISO_7_ELSE); + break; + } } else - /* Invalid designation sequence. Just ignore it. */ - break; + { + /* Invalid designation sequence. Just ignore it. */ + if (c >= 0x80) + rejected |= (CATEGORY_MASK_ISO_7BIT + | CATEGORY_MASK_ISO_7_ELSE); + break; + } } else { /* Invalid escape sequence. Just ignore it. */ + if (c >= 0x80) + rejected |= (CATEGORY_MASK_ISO_7BIT + | CATEGORY_MASK_ISO_7_ELSE); break; } -- cgit v1.2.1 From 21c1abcae174704033a7f5b164081503501b921e Mon Sep 17 00:00:00 2001 From: Kenichi Handa Date: Sun, 5 Oct 2014 17:52:04 +0900 Subject: coding.c (detect_coding_iso_2022): Fix previous change. --- src/coding.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/coding.c') diff --git a/src/coding.c b/src/coding.c index 02e59286dc8..f63d710ce9a 100644 --- a/src/coding.c +++ b/src/coding.c @@ -3166,7 +3166,7 @@ detect_coding_iso_2022 (struct coding_system *coding, if (inhibit_iso_escape_detection) break; single_shifting = 0; - rejected |= CATEGORY_MASK_ISO_7BIT; + rejected |= CATEGORY_MASK_ISO_7BIT | CATEGORY_MASK_ISO_7_ELSE; if (CODING_ISO_FLAGS (&coding_categories[coding_category_iso_8_1]) & CODING_ISO_FLAG_SINGLE_SHIFT) { @@ -3193,9 +3193,9 @@ detect_coding_iso_2022 (struct coding_system *coding, single_shifting = 0; break; } + rejected |= CATEGORY_MASK_ISO_7BIT | CATEGORY_MASK_ISO_7_ELSE; if (c >= 0xA0) { - rejected |= CATEGORY_MASK_ISO_7BIT | CATEGORY_MASK_ISO_7_ELSE; found |= CATEGORY_MASK_ISO_8_1; /* Check the length of succeeding codes of the range 0xA0..0FF. If the byte length is even, we include -- cgit v1.2.1 From bb75cdf9c74ab19b75532da1f953233a47eedab4 Mon Sep 17 00:00:00 2001 From: Dmitry Antipov Date: Tue, 14 Oct 2014 16:45:41 +0400 Subject: Cleanup terminal handling code. * dispextern.h (get_named_tty): Remove prototype but... * termhooks.h (get_named_terminal): ...resurrect it under more meaningful name. (get_terminal): Likewise, but with... (decode_live_terminal): ...this name. (decode_tty_terminal): Add prototype. * term.c (get_tty_terminal): Remove. (get_named_tty): Remove. (Ftty_display_color_p, Ftty_display_color_cells, Ftty_type) (Fcontrolling_tty_p, Fsuspend_tty, Fresume_tty): Use decode_tty_terminal. (Ftty_no_underline, Ftty_top_frame): Use decode_live_terminal. * terminal.c (get_terminal): Refactor to... (decode_terminal, decode_live_terminal): ...new functions. (decode_tty_terminal): Replacement for get_tty_terminal. (get_named_terminal): Likewise for get_named_tty. * coding.c (Fset_terminal_coding_system_internal) (Fterminal_coding_system, Fset_keyboard_coding_system_internal): (Fkeyboard_coding_system): * composite.c (Fcomposition_get_gstring): * dispnew.c (Fsend_string_to_terminal): * frame.c (Fmake_terminal_frame): * nsfns.m (check_ns_display_info): * w32fns.c, xfns.c (check_x_display_info): * xselect.c (frame_for_x_selection): Use decode_live_terminal. * keyboard.c (handle_interrupt_signal, handle_interrupt) (Fset_quit_char): Use get_named_terminal. (Fset_output_flow_control, Fset_input_meta_mode): Use decode_tty_terminal. --- src/coding.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/coding.c') diff --git a/src/coding.c b/src/coding.c index f63d710ce9a..e4b52f6db48 100644 --- a/src/coding.c +++ b/src/coding.c @@ -9759,7 +9759,7 @@ DEFUN ("set-terminal-coding-system-internal", Fset_terminal_coding_system_intern doc: /* Internal use only. */) (Lisp_Object coding_system, Lisp_Object terminal) { - struct terminal *term = get_terminal (terminal, 1); + struct terminal *term = decode_live_terminal (terminal); struct coding_system *terminal_coding = TERMINAL_TERMINAL_CODING (term); CHECK_SYMBOL (coding_system); setup_coding_system (Fcheck_coding_system (coding_system), terminal_coding); @@ -9800,7 +9800,7 @@ frame's terminal device. */) (Lisp_Object terminal) { struct coding_system *terminal_coding - = TERMINAL_TERMINAL_CODING (get_terminal (terminal, 1)); + = TERMINAL_TERMINAL_CODING (decode_live_terminal (terminal)); Lisp_Object coding_system = CODING_ID_NAME (terminal_coding->id); /* For backward compatibility, return nil if it is `undecided'. */ @@ -9812,7 +9812,7 @@ DEFUN ("set-keyboard-coding-system-internal", Fset_keyboard_coding_system_intern doc: /* Internal use only. */) (Lisp_Object coding_system, Lisp_Object terminal) { - struct terminal *t = get_terminal (terminal, 1); + struct terminal *t = decode_live_terminal (terminal); CHECK_SYMBOL (coding_system); if (NILP (coding_system)) coding_system = Qno_conversion; @@ -9831,7 +9831,7 @@ DEFUN ("keyboard-coding-system", (Lisp_Object terminal) { return CODING_ID_NAME (TERMINAL_KEYBOARD_CODING - (get_terminal (terminal, 1))->id); + (decode_live_terminal (terminal))->id); } -- cgit v1.2.1