From 8aec9916dd8213e2efc77ec32cb57256e1f332be Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sun, 30 Jan 2011 10:17:36 +0100 Subject: [PATCH] make-docfile: don't corrupt heap for an invalid .elc file --- lib-src/ChangeLog | 8 ++++++++ lib-src/make-docfile.c | 12 +++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/lib-src/ChangeLog b/lib-src/ChangeLog index bc76c253ab3..6428819daa3 100644 --- a/lib-src/ChangeLog +++ b/lib-src/ChangeLog @@ -1,3 +1,11 @@ +2011-01-30 Jim Meyering + + make-docfile: don't corrupt heap for an invalid .elc file + "printf '#@1a' > in.elc; ./make-docfile in.elc" would store 0 + one byte before just-malloc'd saved_string buffer. + * make-docfile.c (scan_lisp_file): Diagnose an invalid dynamic + doc string length. Also fix an always-false while-loop test. + 2011-01-29 Eli Zaretskii * makefile.w32-in (LOCAL_FLAGS): Add -I../lib. diff --git a/lib-src/make-docfile.c b/lib-src/make-docfile.c index 0872f9728a2..8addbda0489 100644 --- a/lib-src/make-docfile.c +++ b/lib-src/make-docfile.c @@ -873,8 +873,8 @@ scan_lisp_file (const char *filename, const char *mode) c = getc (infile); if (c == '@') { - int length = 0; - int i; + size_t length = 0; + size_t i; /* Read the length. */ while ((c = getc (infile), @@ -884,6 +884,12 @@ scan_lisp_file (const char *filename, const char *mode) length += c - '0'; } + if (length <= 1) + fatal ("invalid dynamic doc string length", ""); + + if (c != ' ') + fatal ("space not found after dynamic doc string length", ""); + /* The next character is a space that is counted in the length but not part of the doc string. We already read it, so just ignore it. */ @@ -899,7 +905,7 @@ scan_lisp_file (const char *filename, const char *mode) but it is redundant in DOC. So get rid of it here. */ saved_string[length - 1] = 0; /* Skip the line break. */ - while (c == '\n' && c == '\r') + while (c == '\n' || c == '\r') c = getc (infile); /* Skip the following line. */ while (c != '\n' && c != '\r') -- 2.11.4.GIT