Crash while determining coding system

[Originally sent 19 Mar and then again 27 Mar 2014, but I think I accidentally sent HTML email, so both copies are probably sitting in the spam trap.] I just received a bug report for the Fedora build of XEmacs: https://bugzilla.redhat.com/show_bug.cgi?id=1078159 What seems to have happened is that determine_real_coding_system (file-coding.c) was called, and tried to read some data from the lstream. However, Lstream_read encountered an error of some kind, I don't know what. This resulted in an empty buffer, and nread == -1. We then proceeded to pass the empty buffer and the count of -1 to detect_coding_type, which used the count of -1 to justify walking off the end of allocated memory, thereby triggering a segfault. We need to notice the Lstream_read failure and bail out of determine_real_coding_system. Would something like this be appropriate? diff -r 9fae6227ede5 src/ChangeLog --- a/src/ChangeLog Thu Mar 27 08:59:03 2014 -0600 +++ b/src/ChangeLog Thu Mar 27 09:32:53 2014 -0600 ＠＠ -1,3 +1,10 ＠＠ +2014-03-27 Jerry James <james(a)xemacs.org&gt; + + * file-coding.c (encode_decode_coding_region): Bail out if + Lstream_read encounters an error (returns -1). + (determine_real_coding_system): Ditto. + (Ffind_coding_system_magic_cookie_in_file): Ditto. + 2014-01-27 Michael Sperber <mike(a)xemacs.org&gt; * symbols.c (Fdefine_function): Allow optional `docstring' diff -r 9fae6227ede5 src/file-coding.c --- a/src/file-coding.c Thu Mar 27 08:59:03 2014 -0600 +++ b/src/file-coding.c Thu Mar 27 09:32:53 2014 -0600 ＠＠ -2294,7 +2294,7 ＠＠ Bytecount size_in_bytes = Lstream_read (istr, tempbuf, sizeof (tempbuf)); - if (!size_in_bytes) + if (size_in_bytes <= 0) break; newpos = lisp_buffer_stream_startpos (istr); Lstream_write (ostr, tempbuf, size_in_bytes); ＠＠ -3863,24 +3863,32 ＠＠ make_opaque_ptr (st)); UExtbyte buf[4096]; Bytecount nread = Lstream_read (stream, buf, sizeof (buf)); - Lisp_Object coding_system - = look_for_coding_system_magic_cookie (buf, nread, 1); - - if (NILP (coding_system)) + Lisp_Object coding_system; + + if (nread > 0) { - while (1) + coding_system = look_for_coding_system_magic_cookie (buf, nread, 1); + + if (NILP (coding_system)) { - if (detect_coding_type (st, buf, nread)) - break; - nread = Lstream_read (stream, buf, sizeof (buf)); - if (nread == 0) - break; + while (1) + { + if (detect_coding_type (st, buf, nread)) + break; + nread = Lstream_read (stream, buf, sizeof (buf)); + if (nread <= 0) + break; + } + + coding_system = detected_coding_system (st); } - coding_system = detected_coding_system (st); + Lstream_rewind (stream); } - - Lstream_rewind (stream); + else + { + coding_system = Qnil; + } unbind_to (depth); return coding_system; ＠＠ -4315,7 +4323,9 ＠＠ Lstream_delete (XLSTREAM (lstream)); retry_close (fd); - return look_for_coding_system_magic_cookie (buf, nread, 0); + return (nread > 0) + ? look_for_coding_system_magic_cookie (buf, nread, 0) +: Qnil; } -- Jerry James http://www.jamezone.org/ _______________________________________________ XEmacs-Beta mailing list XEmacs-Beta(a)xemacs.org http://lists.xemacs.org/mailman/listinfo/xemacs-beta