[COMMIT] Avoid C overflow with #@FIXNUM-style docstrings. Thank you Hao Sun!

Thursday, 16 March 2017

APPROVE COMMIT

NOTE: This patch has been committed.

# HG changeset patch
# User Aidan Kehoe <kehoea(a)parhasard.net&gt;
# Date 1489624832 0
#      Thu Mar 16 00:40:32 2017 +0000
# Node ID 0ae4d70fef9389d2d99dc048cc86bb5745854680
# Parent  72c0d63b2ad689f80852f6195eda16128eb62081
Avoid C overflow with #＠FIXNUM-style docstrings. Thank you Hao Sun!

src/ChangeLog addition:

2017-03-15  Aidan Kehoe  <kehoea(a)parhasard.net&gt;

	* lread.c (read1):
	If a #＠INTEGER docstring comment has an unreasonably large
	INTEGER, error, instead of silently wrapping. Thank you for the
	bug report, Hao Sun.

tests/ChangeLog addition:

2017-03-16  Aidan Kehoe  <kehoea(a)parhasard.net&gt;

	* automated/lisp-reader-tests.el (args-out-of-range):
	Test we don't wrap on reading a C integer with long #＠ comments.

lisp/ChangeLog addition:

2017-03-15  Aidan Kehoe  <kehoea(a)parhasard.net&gt;

	* make-docfile.el:
	Don't bother working around a berkeley-unix and next-mach bug
	that is likely long fixed anyway.
	Print the stderr of make-docfile to the terminal instead of simply
	discarding it.
	Pass through make-docfile's exit code.

lib-src/ChangeLog addition:

2017-03-15  Aidan Kehoe  <kehoea(a)parhasard.net&gt;

	* make-docfile.c (scan_lisp_file):
	Don't wrap the integer counter when reading the length of a #＠
	comment. Thank you for the tracker bug report, Hao Sun in tracker
	issue 870!

diff -r 72c0d63b2ad6 -r 0ae4d70fef93 lib-src/ChangeLog
--- a/lib-src/ChangeLog	Wed Mar 15 22:54:10 2017 +0000
+++ b/lib-src/ChangeLog	Thu Mar 16 00:40:32 2017 +0000
＠＠ -1,3 +1,10 ＠＠
+2017-03-15  Aidan Kehoe  <kehoea(a)parhasard.net&gt;
+
+	* make-docfile.c (scan_lisp_file):
+	Don't wrap the integer counter when reading the length of a #＠
+	comment. Thank you for the tracker bug report, Hao Sun in tracker
+	issue 870!
+
 2015-03-08  Aidan Kehoe  <kehoea(a)parhasard.net&gt;

 	* gnuserv.c (echo_request):
diff -r 72c0d63b2ad6 -r 0ae4d70fef93 lib-src/make-docfile.c
--- a/lib-src/make-docfile.c	Wed Mar 15 22:54:10 2017 +0000
+++ b/lib-src/make-docfile.c	Thu Mar 16 00:40:32 2017 +0000
＠＠ -1099,15 +1099,25 ＠＠
 	  c = getc_skipping_iso2022 (infile);
 	  if (c == '＠')
 	    {
-	      int length = 0;
-	      int i;
+	      unsigned int nlength = 0, length = 0;
+	      unsigned int i;

 	      /* Read the length.  */
 	      while ((c = getc_skipping_iso2022 (infile),
 		      c >= '0' && c <= '9'))
 		{
-		  length *= 10;
-		  length += c - '0';
+                  length = nlength;
+		  nlength *= 10;
+		  nlength += c - '0';
+
+                  if (length <= nlength)
+                    {
+                      length = nlength;
+                    }
+                  else
+                    {
+                      break; /* Overflow, stick with the old value. */
+                    }
 		}

 	      /* The next character is a space that is counted in the length
＠＠ -1120,7 +1130,15 ＠＠
 		free (saved_string);
 	      saved_string = (char *) xmalloc (length);
 	      for (i = 0; i < length; i++)
-		saved_string[i] = getc (infile);
+                {
+                  saved_string[i] = c = getc (infile);
+                  if (c == EOF)
+                    {
+                      saved_string[i] = '\0';
+                      fatal ("docstring ran off end of file: `%.50s ...'",
+                             saved_string);
+                    }
+                }
 	      /* The last character is a ^_.
 		 That is needed in the .elc file
 		 but it is redundant in DOC.  So get rid of it here.  */
＠＠ -1129,7 +1147,7 ＠＠
 	      while (c == '\n')
 		c = getc_skipping_iso2022 (infile);
 	      /* Skip the following line.  */
-	      while (c != '\n')
+	      while (c != '\n' && c != EOF)
 		c = getc_skipping_iso2022 (infile);
 	    }
 	  continue;
＠＠ -1167,7 +1185,7 ＠＠
 	      continue;
 	    }
 	  else
-	    while (c != ')')
+	    while (c != ')' && c != EOF)
 	      {
 		c = getc_skipping_iso2022 (infile);
 		if (c < 0)
diff -r 72c0d63b2ad6 -r 0ae4d70fef93 lisp/ChangeLog
--- a/lisp/ChangeLog	Wed Mar 15 22:54:10 2017 +0000
+++ b/lisp/ChangeLog	Thu Mar 16 00:40:32 2017 +0000
＠＠ -1,3 +1,12 ＠＠
+2017-03-15  Aidan Kehoe  <kehoea(a)parhasard.net&gt;
+
+	* make-docfile.el:
+	Don't bother working around a berkeley-unix and next-mach bug
+	that is likely long fixed anyway.
+	Print the stderr of make-docfile to the terminal instead of simply
+	discarding it.
+	Pass through make-docfile's exit code.
+
 2017-03-13  Aidan Kehoe  <kehoea(a)parhasard.net&gt;

 	* ChangeLog:
diff -r 72c0d63b2ad6 -r 0ae4d70fef93 lisp/make-docfile.el
--- a/lisp/make-docfile.el	Wed Mar 15 22:54:10 2017 +0000
+++ b/lisp/make-docfile.el	Thu Mar 16 00:40:32 2017 +0000
＠＠ -50,7 +50,7 ＠＠
 (defvar source-src (expand-file-name "../src" source-lisp))

 (defun message (fmt &rest args)
-  (write-sequence (apply #'format fmt args))
+  (apply #'format-into standard-output fmt args)
   (write-char ?\n))

 ;; Gobble up the stuff we don't wish to pass on.
＠＠ -236,35 +236,25 ＠＠
   (setq exec-path (list build-lib-src))

   ;; (locate-file-clear-hashing nil)
-  (if (memq system-type '(berkeley-unix next-mach))
-      ;; Suboptimal, but we have a unresolved bug somewhere in the
-      ;; low-level process code.  #### Now that we've switched to using
-      ;; the regular asynch process code, we should try removing this.
-      (call-process-internal
-       "/bin/csh"
-       nil
-       t
-       nil
-       "-fc"
-       (mapconcat
-	#'identity
-	(append
-	 (list (expand-file-name "make-docfile" build-lib-src))
-	 options processed)
-	" "))
-    ;; (message (prin1-to-string (append options processed)))
-    (apply 'call-process-internal
-	   ;; exec-path is set.
-	   ;; (expand-file-name "make-docfile" build-lib-src)
-	   "make-docfile"
-	   nil
-	   t
-	   nil
-	   (append options processed)))
-
-  (message "Spawning make-docfile ...done")
-  ;; (write-region-internal (point-min) (point-max) "/tmp/DOC")
-  )
+  ;; (message (prin1-to-string (append options processed)))
+  (let* ((standard-error (get-buffer-create
+                          (generate-new-buffer-name "stderr")))
+         (status
+          (apply 'call-process-internal
+                 ;; exec-path is set.
+                 ;; (expand-file-name "make-docfile" build-lib-src)
+                 "make-docfile"
+                 nil
+                 (list t standard-error)
+                 nil
+                 (append options processed))))
+    (if (equal status 0)
+        (message "%sSpawning make-docfile ...done"
+                 (buffer-substring nil nil standard-error))
+      (message "%sSpawning make-docfile ... error, failed with status %d."
+               (buffer-substring nil nil standard-error)
+               status))
+    (kill-emacs status)))

 (kill-emacs)

diff -r 72c0d63b2ad6 -r 0ae4d70fef93 src/ChangeLog
--- a/src/ChangeLog	Wed Mar 15 22:54:10 2017 +0000
+++ b/src/ChangeLog	Thu Mar 16 00:40:32 2017 +0000
＠＠ -1,3 +1,10 ＠＠
+2017-03-15  Aidan Kehoe  <kehoea(a)parhasard.net&gt;
+
+	* lread.c (read1):
+	If a #＠INTEGER docstring comment has an unreasonably large
+	INTEGER, error, instead of silently wrapping. Thank you for the
+	bug report, Hao Sun.
+
 2017-03-13  Aidan Kehoe  <kehoea(a)parhasard.net&gt;

 	* data.c (Flsh):
diff -r 72c0d63b2ad6 -r 0ae4d70fef93 src/lread.c
--- a/src/lread.c	Wed Mar 15 22:54:10 2017 +0000
+++ b/src/lread.c	Thu Mar 16 00:40:32 2017 +0000
＠＠ -2638,12 +2638,26 ＠＠
 	      /* #＠NUMBER is used to skip NUMBER following characters.
 		 That's used in .elc files to skip over doc strings
 		 and function definitions.  */
-	      int i, nskip = 0;
+	      UINT_32_BIT i, skip = 0, oskip = 0;

 	      /* Read a decimal integer.  */
 	      while ((c = readchar (readcharfun)) >= 0
 		     && c >= '0' && c <= '9')
-                nskip = (10 * nskip) + (c - '0');
+                {
+                  skip = (10 * skip) + (c - '0');
+                  if (oskip <= skip)
+                    {
+                      oskip = skip;
+                    }
+                  else
+                    {
+                      /* Overflow, error. */
+                      args_out_of_range_3 (make_unsigned_integer (skip),
+                                           Qzero, make_fixnum (0x3fffffff));
+                      break;
+                    }
+                }
+
 	      if (c >= 0)
 		unreadchar (readcharfun, c);

＠＠ -2652,7 +2666,7 ＠＠
 		 losing.  We handle this differently. */

 	      /* Skip that many characters.  */
-	      for (i = 0; i < nskip && c >= 0; i++)
+	      for (i = 0; i < skip && c >= 0; i++)
 		c = readchar (readcharfun);

 	      goto retry;
diff -r 72c0d63b2ad6 -r 0ae4d70fef93 tests/ChangeLog
--- a/tests/ChangeLog	Wed Mar 15 22:54:10 2017 +0000
+++ b/tests/ChangeLog	Thu Mar 16 00:40:32 2017 +0000
＠＠ -1,3 +1,8 ＠＠
+2017-03-16  Aidan Kehoe  <kehoea(a)parhasard.net&gt;
+
+	* automated/lisp-reader-tests.el (args-out-of-range):
+	Test we don't wrap on reading a C integer with long #＠ comments.
+
 2017-03-13  Aidan Kehoe  <kehoea(a)parhasard.net&gt;

 	* automated/completion-tests.el (featurep):
diff -r 72c0d63b2ad6 -r 0ae4d70fef93 tests/automated/lisp-reader-tests.el
--- a/tests/automated/lisp-reader-tests.el	Wed Mar 15 22:54:10 2017 +0000
+++ b/tests/automated/lisp-reader-tests.el	Thu Mar 16 00:40:32 2017 +0000
＠＠ -346,4 +346,8 ＠＠
 (Assert (equal "20000e-" (prin1-to-string '20000e-))
         "checking Lisp printer recognises non-number syntax, trailing -")

+;; Checking we don't overflow on long #＠ comments.
+
+(Check-Error args-out-of-range (read "#＠4294967296 hello"))
+
 ;;; end of lisp-reader-tests.el

-- 
‘As I sat looking up at the Guinness ad, I could never figure out /
How your man stayed up on the surfboard after forty pints of stout’
(C. Moore)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003