[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Patch fixing buffer overflow in trunk
From: |
Bernhard Herzog |
Subject: |
Patch fixing buffer overflow in trunk |
Date: |
Tue, 04 May 2010 17:14:41 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) |
Hi,
since yesterday I've been running into crashes when starting emacs from
bzr trunk that seemed to depend on the current working directory.
E.g. starting from one particular directory would lead to a practically
immediate crash with the output:
*** glibc detected *** emacs: malloc(): memory corruption: 0x086c6c90 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7505845]
Changing into another directory, e.g. the parent directory of the one
where it just failed, would solve the problem and emacs would start.
Investigating further, it seemed to depend on the length of the absolute
name of the current directory. And a little bisecting in the bzr
history showed that the defect was introduced in revision 100117 in the
following lines:
--- src/xsmfns.c 2010-02-10 09:29:28 +0000
+++ src/xsmfns.c 2010-05-02 18:44:04 +0000
@@ -246,7 +251,19 @@
props[props_idx]->vals[2].length = strlen (NOSPLASH_OPT);
props[props_idx]->vals[2].value = NOSPLASH_OPT;
- val_idx += 3;
+
+ cwd = get_current_dir_name ();
+ if (cwd)
+ {
+ chdir_opt = xmalloc (strlen (CHDIR_OPT) + strlen (client_id) + 1);
+ strcpy (chdir_opt, CHDIR_OPT);
+ strcat (chdir_opt, cwd);
+
+ props[props_idx]->vals[3].length = strlen (chdir_opt);
+ props[props_idx]->vals[3].value = chdir_opt;
+ }
+
+ val_idx += cwd ? 4 : 3;
++props_idx;
/* User id. */
Clearly, that strlen (client_id) should actually be strlen (cwd). The
patch below fixes this.
Bernhard
=== modified file 'src/xsmfns.c'
--- src/xsmfns.c 2010-05-02 18:44:04 +0000
+++ src/xsmfns.c 2010-05-04 14:33:08 +0000
@@ -255,7 +255,7 @@
cwd = get_current_dir_name ();
if (cwd)
{
- chdir_opt = xmalloc (strlen (CHDIR_OPT) + strlen (client_id) + 1);
+ chdir_opt = xmalloc (strlen (CHDIR_OPT) + strlen (cwd) + 1);
strcpy (chdir_opt, CHDIR_OPT);
strcat (chdir_opt, cwd);
pgpnyXgRONwy7.pgp
Description: PGP signature
- Patch fixing buffer overflow in trunk,
Bernhard Herzog <=