Package: emacs21
Version: 21.4a-1
Tags: patch
There is a bug in the decoding of Emacs-specific character composition
sequences, specifically those starting with ESC '4'. If a file
contains a malformed version of such a sequence, Emacs running in
multibyte mode will abort while reading the file.
For example, creating a three byte file containing ESC '4' NEWLINE is
enough to do it:
$ /bin/echo -e '\0334' > badfile.txt
$ od -t o1 badfile.txt
0000000 033 064 012
0000003
$ emacs badfile.txt
Fatal error (6).Aborted
$ emacs --unibyte badfile.txt
[ works fine ]
A couple of relevant patches, apparently both originally due to
Kenichi Handa <[EMAIL PROTECTED]>, were checked into the GNU Savannah CVS
tree in src/coding.c versions 1.294 and 1.299 a couple of years ago.
Here's a diff against Debian version 21.4a-1 (that also applies
cleanly to 21.4a-3) that incorporates these patches and fixes the
problem for me.
--- emacs21-21.4a/src/coding.c.orig 2006-02-12 13:24:10.000000000 -0800
+++ emacs21-21.4a/src/coding.c 2006-02-12 15:26:17.000000000 -0800
@@ -5319,6 +5319,10 @@
enum composition_method method = (enum composition_method) data[3];
Lisp_Object components;
+ if (data[0] < 0 || i + data[0] > cmp_data->used)
+ /* Invalid composition data. */
+ break;
+
if (method == COMPOSITION_RELATIVE)
components = Qnil;
else
@@ -5329,6 +5333,9 @@
if (method == COMPOSITION_WITH_RULE_ALTCHARS
&& len % 2 == 0)
len --;
+ if (len < 1)
+ /* Invalid composition data. */
+ break;
for (j = 0; j < len; j++)
args[j] = make_number (data[4 + j]);
components = (method == COMPOSITION_WITH_ALTCHARS
--
Kevin Buhr <[EMAIL PROTECTED]>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
