[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem report #85 RESOLVED
From: |
Kenichi Handa |
Subject: |
Re: Problem report #85 RESOLVED |
Date: |
Thu, 11 May 2006 13:14:59 +0900 |
User-agent: |
SEMI/1.14.3 (Ushinoya) FLIM/1.14.2 (Yagi-Nishiguchi) APEL/10.2 Emacs/22.0.50 (i686-pc-linux-gnu) MULE/5.0 (SAKAKI) |
In article <address@hidden>, Dan Nicolaescu <address@hidden> writes:
> CID: 85
> Checker: USE_AFTER_FREE (help)
> File: base/src/emacs/src/fileio.c
> Function: Finsert_file_contents
> Description: Using freed pointer "conversion_buffer"
> Event freed_arg: Pointer "conversion_buffer" freed by function "xfree" [model]
> Also see events: [double_free][double_free][use_after_free][use_after_free]
> 4326 xfree (conversion_buffer);
> 4327 coding_free_composition_data (&coding);
> At conditional (1): "how_much == -1" taking false path
> 4328 if (how_much == -1)
> 4329 error ("IO error reading %s: %s",
> 4330 SDATA (orig_filename), emacs_strerror (errno));
> At conditional (2): "how_much == -2" taking false path
> 4331 else if (how_much == -2)
> 4332 error ("maximum buffer size exceeded");
> 4333 }
This part of the code is surely suspicious. Now the
relevant code is this:
/* At this point, INSERTED is how many characters (i.e. bytes)
are present in CONVERSION_BUFFER.
HOW_MUCH should equal TOTAL,
or should be <= 0 if we couldn't read the file. */
if (how_much < 0)
{
xfree (conversion_buffer);
coding_free_composition_data (&coding);
if (how_much == -1)
error ("IO error reading %s: %s",
SDATA (orig_filename), emacs_strerror (errno));
else if (how_much == -2)
error ("maximum buffer size exceeded");
}
I think we must always signal an error if how_mach < 0.
And, I see no code setting how_much to -2 before there.
how_mach is set to negative only if emacs_read returned a
negative value. In addition, we don't have to check
exceeding of buffer size here (it's done in insert_1) later.
So, I've just installed this change.
2006-05-11 Kenichi Handa <address@hidden>
* fileio.c (Finsert_file_contents): Fix for the case of IO error
while handling replace operation.
*** fileio.c 08 May 2006 13:13:09 +0900 1.564
--- fileio.c 11 May 2006 13:07:04 +0900
***************
*** 4325,4335 ****
{
xfree (conversion_buffer);
coding_free_composition_data (&coding);
! if (how_much == -1)
! error ("IO error reading %s: %s",
! SDATA (orig_filename), emacs_strerror (errno));
! else if (how_much == -2)
! error ("maximum buffer size exceeded");
}
/* Compare the beginning of the converted file
--- 4325,4332 ----
{
xfree (conversion_buffer);
coding_free_composition_data (&coding);
! error ("IO error reading %s: %s",
! SDATA (orig_filename), emacs_strerror (errno));
}
/* Compare the beginning of the converted file
---
Kenichi Handa
address@hidden