[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#11288: avoid buffer overrun in display code
From: |
Jim Meyering |
Subject: |
bug#11288: avoid buffer overrun in display code |
Date: |
Fri, 20 Apr 2012 13:42:05 +0200 |
This bug leads to a seemingly unterminated loop in swap_glyph_pointers,
when compiled with gcc-4.8.0 (from April 19 or newer).
At first I thought it was a code-gen bug and reported it as
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53053. But then Richard
Guenther guessed at the cause and Jakub Jelinek confirmed that the
seemingly-infinite-loop was in fact just part of the undefined behavior
we may now expect from buggy code.
2012-04-20 Jim Meyering <meyering@redhat.com>
* dispextern.h (glyph_row.used): Increase size by 1, to avoid buffer
overrun in swap_glyph_pointers, which reads and writes used[LAST_AREA].
Reported as a gcc bug http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53053
where Jakub Jelinek spotted the root cause.
=== modified file 'src/dispextern.h'
--- src/dispextern.h 2012-03-26 05:43:05 +0000
+++ src/dispextern.h 2012-04-20 11:14:29 +0000
@@ -748,7 +748,7 @@
struct glyph *glyphs[1 + LAST_AREA];
/* Number of glyphs actually filled in areas. */
- short used[LAST_AREA];
+ short used[1 + LAST_AREA];
/* Window-relative x and y-position of the top-left corner of this
row. If y < 0, this means that eabs (y) pixels of the row are
- bug#11288: avoid buffer overrun in display code,
Jim Meyering <=