[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

editfns.c

To: mule-ja@xxxxxxxx
Subject: editfns.c
From: Shigeru Yasuda <yasuda@xxxxxxxxxxxxxxxx>
Date: Fri, 26 Mar 2004 18:41:28 +0900 (JST)
List-help: <mailto:mule-ja-ctl@m17n.org?body=help>
List-id: mule-ja.m17n.org
List-owner: <mailto:mule-ja-admin@m17n.org>
List-post: <mailto:mule-ja@m17n.org>
List-software: fml [fml 4.0.1]
List-unsubscribe: <mailto:mule-ja-ctl@m17n.org?body=unsubscribe>
Organization: NEC Corporation, Fuchu Tokyo Japan
Reply-to: mule-ja@xxxxxxxx

やすだ@NEC です。

Emacs current の editfns.c ですが、buffer overflow しているように
見えます。

とりあえず以下のパッチで回避してますが、領域を増やすのが正しいのか、
ループ回数を減らすのが正しいのか、どちらでしょうか?

Index: editfns.c
===================================================================
RCS file: /cvsroot/emacs/emacs/src/editfns.c,v
retrieving revision 1.369
diff --unified=10 -r1.369 editfns.c
--- editfns.c	25 Mar 2004 18:05:29 -0000	1.369
+++ editfns.c	26 Mar 2004 09:28:45 -0000
@@ -3269,21 +3269,21 @@
   format = SDATA (args[0]);
   format_start = format;
   end = format + SBYTES (args[0]);
   longest_format = 0;
 
   /* Make room in result for all the non-%-codes in the control string.  */
   total = 5 + CONVERTED_BYTE_SIZE (multibyte, args[0]);
 
   /* Allocate the info and discarded tables.  */ 
   {
-    int nbytes = nargs * sizeof *info;
+    int nbytes = (nargs + 1) * sizeof *info;
     int i;
     info = (struct info *) alloca (nbytes);
     bzero (info, nbytes);
     for (i = 0; i <= nargs; i++)
       info[i].start = -1;
     discarded = (char *) alloca (SBYTES (args[0]));
     bzero (discarded, SBYTES (args[0]));
   }
 
   /* Add to TOTAL enough space to hold the converted arguments.  */

--
やすだ

Follow-Ups:
- Re: editfns.c
  - From: Kenichi Handa

Prev by Date: Re: emacs-21.3.50 Cygwin/XFree86 patch はどこへ？
Next by Date: Re: editfns.c
Previous by thread: Re: emacs-21.3.50 Cygwin/XFree86 patch はどこへ？
Next by thread: Re: editfns.c
Index(es):
- Date
- Thread