Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 17:55:06 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 23 13:55:06 2024 Received: from localhost ([127.0.0.1]:60700 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sWJj8-0005d7-6c for submit <at> debbugs.gnu.org; Tue, 23 Jul 2024 13:55:06 -0400 Received: from eggs.gnu.org ([209.51.188.92]:50886) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1sWJj7-0005bn-4S for 72245 <at> debbugs.gnu.org; Tue, 23 Jul 2024 13:55:05 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1sWJiw-00073S-HB; Tue, 23 Jul 2024 13:54:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=hssJ1uOZ80/KZhy14gmMin5b7DErFcPrwRXK59nHOfA=; b=GnpmFGXNQmCz SMV4s5bG9iIIh75Tco64N8ZttRNpTraKhnHf2PN7T5JjsdvdRXZS6w0vMBrzR7y7+m7XjaNl+UKGc zheXCrRN42c3A4SAuXU06Vh5Ws5Nhbbw+iHKtk+MReVioSp9zo4mmwoV+HqtFrTE0vte4aqxqIG7R 1NGHvNOTeNSZiPxMi2XQBiQLEVpeE6ZT1NJKKs0tz1eOTYR/X++zm1gtpMYSxDTwZ/F7dNPJYloa1 X7MRSYNObKzFM/0HmzUi2/za47wGJ90dW/GwuDGMS+F1pHo+/lhl1i/V/RNmpHsb7yEBzI23uppn+ KlTiyCZib8+yQGpPUn8ufA==; Date: Tue, 23 Jul 2024 20:54:52 +0300 Message-Id: <86jzhc8043.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Andreas Schwab <schwab@HIDDEN> In-Reply-To: <87msm83t4r.fsf@HIDDEN> (message from Andreas Schwab on Tue, 23 Jul 2024 19:39:16 +0200) Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> <87frs0ydv6.fsf@HIDDEN> <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> <87bk2oyavb.fsf@HIDDEN> <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@HIDDEN> <86wmlc86ne.fsf@HIDDEN> <87msm83t4r.fsf@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 72245 Cc: luangruo@HIDDEN, 72245 <at> debbugs.gnu.org, stefankangas@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Andreas Schwab <schwab@HIDDEN> > Cc: Stefan Kangas <stefankangas@HIDDEN>, luangruo@HIDDEN, > 72245 <at> debbugs.gnu.org > Date: Tue, 23 Jul 2024 19:39:16 +0200 > > On Jul 23 2024, Eli Zaretskii wrote: > > > That file doesn't cause a crash on MS-Windows, FWIW, but the code > > which processes XPM images in Emacs on Windows is very different. > > The absence of a crash does not prove anything, though. It isn't the absence of a crash alone. I see an error message in *Messages* saying the XPM image is invalid, and the window shows an empty rectangle, as always with invalid images. So Emacs actually detects that the image is invalid, announces that, and doesn't try to show it on the screen.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 17:39:25 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 23 13:39:25 2024 Received: from localhost ([127.0.0.1]:60663 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sWJTx-0005D7-3w for submit <at> debbugs.gnu.org; Tue, 23 Jul 2024 13:39:25 -0400 Received: from mail-out.m-online.net ([212.18.0.9]:51040) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <whitebox@HIDDEN>) id 1sWJTv-0005Cx-PH for 72245 <at> debbugs.gnu.org; Tue, 23 Jul 2024 13:39:24 -0400 Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4WT4C96Lkbz1qsPQ; Tue, 23 Jul 2024 19:39:17 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.68]) by mail.m-online.net (Postfix) with ESMTP id 4WT4C94Vtfz1qqlW; Tue, 23 Jul 2024 19:39:17 +0200 (CEST) X-Virus-Scanned: amavis at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavis, port 10024) with ESMTP id V-wjMhTchFTo; Tue, 23 Jul 2024 19:39:17 +0200 (CEST) X-Auth-Info: q6+98l8uZ/KjthpAbEO5aM6wMRrHgVE9huEVsptosJJoGHbnMUM0hzqXh9LTXvgC Received: from igel.home (aftr-82-135-83-133.dynamic.mnet-online.de [82.135.83.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Tue, 23 Jul 2024 19:39:16 +0200 (CEST) Received: by igel.home (Postfix, from userid 1000) id B85052C0BFD; Tue, 23 Jul 2024 19:39:16 +0200 (CEST) From: Andreas Schwab <schwab@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM In-Reply-To: <86wmlc86ne.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 23 Jul 2024 18:33:41 +0300") References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> <87frs0ydv6.fsf@HIDDEN> <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> <87bk2oyavb.fsf@HIDDEN> <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@HIDDEN> <86wmlc86ne.fsf@HIDDEN> X-Yow: This MUST be a good party -- My RIB CAGE is being painfully pressed up against someone's MARTINI!! Date: Tue, 23 Jul 2024 19:39:16 +0200 Message-ID: <87msm83t4r.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72245 Cc: luangruo@HIDDEN, 72245 <at> debbugs.gnu.org, Stefan Kangas <stefankangas@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) On Jul 23 2024, Eli Zaretskii wrote: > That file doesn't cause a crash on MS-Windows, FWIW, but the code > which processes XPM images in Emacs on Windows is very different. The absence of a crash does not prove anything, though. -- Andreas Schwab, schwab@HIDDEN GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 15:39:24 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 23 11:39:24 2024 Received: from localhost ([127.0.0.1]:60573 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sWHbn-0002Hs-Rn for submit <at> debbugs.gnu.org; Tue, 23 Jul 2024 11:39:24 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45698) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1sWHbj-0002Hb-4Z for 72245 <at> debbugs.gnu.org; Tue, 23 Jul 2024 11:39:22 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1sWHbX-00074W-D6; Tue, 23 Jul 2024 11:39:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=3gLAwPIRMYzZ/SyBoSTchFIbHYZoi9YW6E8lTMqbZtc=; b=oG4XxGGA5Sit GTgRme+Snq7VLjnp662lG/dbixD1paPeao1up7WAH7/KzVBdMYVAq9zQYm3InIU9DA0/UvxoLMz/e c0ghcsYvyGfhF2UguZcMHX3uaukgvSfgl0OknZoNUKYr9vut2fnQLrNbIbKkvtF2vDmihfUx8dXhu 1Uq1cnPuXy5q8pMXWTnmtjh0bEMUk5VRwBC5qxTAb5emBSvJc/fqGgzvvDOUg/4btZ6hmcIBB9l3Z PEe8HWAGnvCPhcljvLBKRKD/4CnWT10jv7DNHkNb3PYCKKsHPafti/zNtVZ99lsorI2wE8Z2/fckS HWfF2eA46eEqd/vPrBKqEw==; Date: Tue, 23 Jul 2024 18:39:04 +0300 Message-Id: <86v80w86ef.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Po Lu <luangruo@HIDDEN> In-Reply-To: <877cdcxhqa.fsf@HIDDEN> (bug-gnu-emacs@HIDDEN) Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> <87frs0ydv6.fsf@HIDDEN> <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> <87bk2oyavb.fsf@HIDDEN> <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@HIDDEN> <877cdcxhqa.fsf@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 72245 Cc: 72245 <at> debbugs.gnu.org, stefankangas@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Cc: 72245 <at> debbugs.gnu.org > Date: Tue, 23 Jul 2024 23:15:09 +0800 > From: Po Lu via "Bug reports for GNU Emacs, > the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN> > > > Since we don't have an alternative patch, I will install the one I > > proposed in the next couple of days. Thanks. > > It is correctly implemented as it stands. You are essentially proposing > to have code that has not posed difficulties be needlessly complicated > with ugly pedantic error-checking. This crosses the line. Stefan is one of the Emacs co-maintainers, and as such, it's his prerogative to decide to install code changes. You have made your point, and abundantly so. Your opinions have been heard and overruled. Please accept that. There's no need and no point to say what you think time and again, let alone in harsh words.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 15:34:06 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 23 11:34:06 2024 Received: from localhost ([127.0.0.1]:60568 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sWHWg-0002Ae-4E for submit <at> debbugs.gnu.org; Tue, 23 Jul 2024 11:34:06 -0400 Received: from eggs.gnu.org ([209.51.188.92]:34090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1sWHWb-0002A4-FU for 72245 <at> debbugs.gnu.org; Tue, 23 Jul 2024 11:34:04 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1sWHWR-0005es-HK; Tue, 23 Jul 2024 11:33:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=bUfo88ym+pftAFdJomKx2ize84NtwJkxZoIExj+BPic=; b=E714PDQDyJWP qbzG3wGyyI5NC8ChXMux+/gg9f+I0Cq5TCcOlz8cTc/3mdWHvxlM2VOVguq8pECGHBa0UwPGkuYa3 J/j8ZuhXZ7+eh70RHCrtLYefNZ8UO9B139t9JZl3oSXiNU4xBBh73txvMklh8VVe+ZTKw+Nlpzgge KFulgZB3RtIgF9skVfK3ddkhAX2OYQPX/zU7mqtIQaRn5e3v96Oc8vWe6c+J1zOuVhTS0KvxWJXov ljXlP3JXX6wrjF5j2wqA5asSDx9Ct0yYO+BucVAD/6l7Y6eyWA/iL4kyBR68feDugnqVQg9Jg6dTo T0QAvIz4gh/CPF3j4ZHBEw==; Date: Tue, 23 Jul 2024 18:33:41 +0300 Message-Id: <86wmlc86ne.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@HIDDEN> (message from Stefan Kangas on Tue, 23 Jul 2024 07:51:29 -0700) Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> <87frs0ydv6.fsf@HIDDEN> <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> <87bk2oyavb.fsf@HIDDEN> <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 72245 Cc: luangruo@HIDDEN, 72245 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Cc: 72245 <at> debbugs.gnu.org > From: Stefan Kangas <stefankangas@HIDDEN> > Date: Tue, 23 Jul 2024 07:51:29 -0700 > > That said, since you are asking, we are indeed discussing security > sensitive code, that is executed without prompting, for example, when > users receive emails or browse the web. Only in some MUAs, yes? For example, Rmail doesn't by default show the images (or any other attachments), it requires a user action to do so. > XPM being a relatively simple format, I'm sure that this code can be > fully audited. I invite you to do so, and I'm hoping that this will > reveal that your faith in this code is well-founded. Meanwhile, I > reported an unrelated crash in XPM image processing in Bug#72255. That file doesn't cause a crash on MS-Windows, FWIW, but the code which processes XPM images in Emacs on Windows is very different.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 15:15:38 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 23 11:15:38 2024 Received: from localhost ([127.0.0.1]:60528 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sWHEo-0007Hw-E1 for submit <at> debbugs.gnu.org; Tue, 23 Jul 2024 11:15:38 -0400 Received: from sonic305-21.consmr.mail.ne1.yahoo.com ([66.163.185.147]:35508) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <luangruo@HIDDEN>) id 1sWHEj-0007HZ-Rb for 72245 <at> debbugs.gnu.org; Tue, 23 Jul 2024 11:15:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721747722; bh=hktThQCtT+ArXKNbgy5uiun40SttM2GVK6m8dgSQF1g=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=uPPcrVRyphn4bz/Pmlcfh/pLhYrlkdSCOR7OHiakJOQJoqx6THm84XBJxUY5T2s2h7IMA2SraMIYEy7aI3aW15xrrM17p02Ie+n5JgncgiCSCAynEvMeB7qEOBmwkid1g+ktQ5w/HUtqTj9/XZvPu0dCuZ2E/cOrxMHf7ZSDoqfc5yg+VWDL/yzjobVoxCzSEsoHNJUYY0tazBIJze5aW5fRPjtZ1mUaAMsEoLe/mWyt+Q7TvY8Wv0HNbH4FfrDL6tVYQhybYydK6lylQkHVAsPR862yS31h+EsOLlRGLN5hHfnV4UVRyktBjKLaDu3MKLnRx0BFXy8Qaf/qvlssUQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721747722; bh=m4eXZ2TKEgYT/LBM0dJPHfZ0v2rBUn9WCE6SLFPHaFt=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Ym56KSCB9UG0zMXhvjXg+N5PyvetsBOQHHATJ0f333SfWEeKfgiWdhLpvaEcogVoulvfBgozHJNYw4EbZBy3Y99dYO5fA1kuwzOOoe6zdumreXSyrIj4az71aHDA4Y6zvGF/SFKx46+UjpHyZi3S3oDs+zCgEoNpFtrOK+419PqHpp2rH/ij6+smzKrcgGixr+SEvqqkyEiRFgKbbe9suFGq9Dhh16kC5BgV+2ZMMceFcCooX1ySI6VK+Cl9fFJHEBukFX+Bw8G1VrAMQ6/jGGzFGVMDJZQBgelUjKNLDfoeLPIDEmnj8Fl2EOFJLejFAKbfPzo/tYT//mJuJBfSKw== X-YMail-OSG: 126BLc4VM1lZImmUg6yj1.vdCI5Qudk1K62fh7E_8Ook6tJleNt5YRM6tm0ivmt w_dxfTG2XkT1RIueD85bS9zRbLFcBueaO6Lmk0XWMJVRMVxNpubWdHOT0lqh9gSoE56XBkSVGlF0 ZiHx5rzDi599Ng39ykwpXvW7iMU0LQMik9n.nrO7g4U3r_KuivTgSxzSFZQbDnmU2bgEUWTJFE2d _5MMdIo5iX3c37C.UBGGZxeMgv.G3oH_yvmz4gGTYyI8PCdW.D9hx4kSoxxn3f8VFeulu4RvnNFm xA35gc84zPSsW6cXMnJyjnCp.j6XCYzYboZUxsc2vvJlYEHZ8jah1LlLVVwMsP2YYMXtlMPS_8GU 466S1rTfwCT_po9ALLXRMxene1C38ON5IbjBxUY8dkYqE0rWUIRJnBj.205AwvCBkG68y_ysnya2 pFjyrMvcJ3eYKBk2KyX90B3.YkxsWPgbbkNLZoxPJuKLLIAXYKBTYMRPoic.U6K9e7R8kj1SdPDH lkaAzudwQyKSdYnXIbFnS_pHvd9xUv0IhdhYxXmh4wQfvw3WuVn7lVDOgO3Tx79FFFFDMDqWnJl. iCEdv7NLc1pdPtmqz6IP44Mp7xNwqJrXUPfmOO1R.lI9yI_5Ji.RRvV8v9O1QXvWoqvbMUCzPw1g AfL_4Og7WwynqQ4.wmyAtxWJ2s64ofblLm3WJnjW.vwSYQumy0OY9jkSHUAG.quLh5DQB6.aONIo gq_7mmEZk.iVJ6CkXoZg5hUu2.wxFCltulSQyDdskXexo4s.TH3346DvZpqzFuQVIYSCdTZ7_PCN JwhVZKb7_EIU3etKQAR0QDMVcJ_HQMwk3MpnB7jjozty4N7el.3pKVD8u.QQh2ayOr9EPi1456Bv d82t0rZxQ6cT.OjfTF8NvrRXK_zM426em_lpgxPOLK6NBstNj2B_TKYuaBq2gS9V9ZYvS.Waf.hh EUsdkG_6.L5FdzdMvJXFdlV.oaJ_3GuuNKHTmBo2A707V8p5wS9vqZGHrhTR5Xzy0PyAc9.n8Ftz Eir6VtTO4oOz0qYdc.pwCEIhkrkFPAJNSgzgYdu__nKUXGrt2CmMTDLoOhdLEgBffoCOPAFsTJw0 41Qzixip34tBhkjRGMRHBOkAxCShDY5oqturr3TqFnK.xjR2SSJsffP.PwBR.kPUx48XhJ2Ov2wG t6JVmMQNavz2RWWQZ8Gj6jgyJN34HKZo7Z5r0K.GzaumMpDYDr986M.Ldex60dpyX8XZUWF0tTRn yDs8XaFj2EZqqf9Z0D2GZcx3UpSIRK.mSyO0zM04eFcarry.uIUQl4Bh.gOfLwEpdgp7BvCE40MJ wqcVWU8Kj7X8os.w2gTxF3E3cFSyLie_feVYsSuJS0WB.VsPmc6._DBXWxHvRd0vfDBI9o6A1Cpv MCs4DLQqkxrn1wmDa9hpZ3Qn6RPHvPLt8BKBPs8TJRWzPRClpaz0cl8TCtqinH6Xg8iBn_aLujw5 I8nt6LukEUDvIZbIkYvgCFH37qgaNG0WQoOAze2BZ5j_u7BktHKyT8MWR0hcT6zuzfByQuJa_aYE eY1XhKZQlpbArB0.AwpABvbcKbJyd8EYmiyxp7OtzvOFWD6MUy.AMrADqPNq55YExL6LvqYZKN7v hoNgKfZ9OXnS83gWXIogBePa3ei39oWxHZaTuS1VM.rM6DJp7Seo1HZUnxnZs9yBk6SeD4dXTgLR yUqANx6oPa88ZsJgIJ8IfvLy7AUDngVpbnXSzKDMFtPrepf76fp6j1djE69VMgPzt9q5dew8O6oh WbP8huQi6QzN2zOjgsMZepg768vB5vZ51xt_0bdnH.whqkA6QcQQmU3ywSgAONmed.4LwFk9X2R5 aew0wf7vwjJ0uw1DGAxguso1H91C5THndI1O0VYWqLPYhBlcQ.U7pmj43w4muxIGrJxRXiuvD5Y1 72QfrdQZpn9hhYh1i9dqZ53KhFp8.GxlC3P3zXSp6vu9jWE9UPt8hIwc_HW1afg20dJhSAcOTMIo 57G9ifud37QHFXg5E2DyCa47mHyRo8b8U0Pk5JHFQltjb2R4uYKiDN.X5.XT70q7N3t8oFT4rHFF t1Ti6mfsSAepxt6IV4wkC8dK6N4srXnZsrFw1RCwK7tQ7v5Kh5IPqCl2y.B7Jhev2TIan1Niwt1t 8z5ejiZsQEuws88w4koqRiCe41fRXGY7Dohda6pRwuR4L86uLpCH0SkYVVF86xhqRl9byhIdhf5s yA1l_pqrwS58Wo0hplzVuynoG9yYLKtFo20jK4PrIZBONdDXH1Xc- X-Sonic-MF: <luangruo@HIDDEN> X-Sonic-ID: 341fc01f-b108-41de-af3c-2db2411f8440 Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Tue, 23 Jul 2024 15:15:22 +0000 Received: by hermes--production-sg3-85fdb5cfc8-46zq5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1060483d97207808731d269d32aa9883; Tue, 23 Jul 2024 15:15:19 +0000 (UTC) From: Po Lu <luangruo@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM In-Reply-To: <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@HIDDEN> (Stefan Kangas's message of "Tue, 23 Jul 2024 07:51:29 -0700") References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> <87frs0ydv6.fsf@HIDDEN> <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> <87bk2oyavb.fsf@HIDDEN> <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@HIDDEN> Date: Tue, 23 Jul 2024 23:15:09 +0800 Message-ID: <877cdcxhqa.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Mailer: WebService/1.1.22501 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Content-Length: 2501 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72245 Cc: 72245 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 0.2 (/) Stefan Kangas <stefankangas@HIDDEN> writes: > Po Lu <luangruo@HIDDEN> writes: > >> I'm saying that there is nothing to be done. This change is needless, >> and the report should be closed, whatever opinions the security theater >> might hold on the matter. > > I wasn't the one that started a subthread about security. You did. > > The primary consideration here is correctness. Undefined behaviour is > generally undesirable, and is a source of both bugs and security issues > in the wild. This is not "security theater", but a fact. No amount of > handwaving or throwing expletives around will make it go away. Why don't you begin by deleteing the undefined behavior in mark_memory? By definition, after having executed undefined behavior once, all of the future behavior of a C program becomes undefined. For this reason alone, it is meaningless to speak of undefined behavior in Emacs, only whether specific behavior produces _actual_ crashes or corruption. > That said, since you are asking, we are indeed discussing security > sensitive code, that is executed without prompting, for example, when > users receive emails or browse the web. We are also discussing image > processing, an area that is notorious for the bugs and security issues > that tend to lurk in its many complexities. On the CWE-190 page that I > linked, there are several examples of integer overflow in image > processing that has lead to very real exploits. This is not some > academic issue. > > Whether or not anyone has demonstrated that Emacs can be exploited using > this vector frankly misses the point. Let's start with making Emacs > behave correctly and predictably in the face of invalid input. This > really is the bare minimum. Then we can discuss whether or not we have > more work to do, security implications, and all the rest of it. It behaves as correctly and predictably as it should: it does not crash. > XPM being a relatively simple format, I'm sure that this code can be > fully audited. I invite you to do so, and I'm hoping that this will > reveal that your faith in this code is well-founded. Meanwhile, I > reported an unrelated crash in XPM image processing in Bug#72255. > > Since we don't have an alternative patch, I will install the one I > proposed in the next couple of days. Thanks. It is correctly implemented as it stands. You are essentially proposing to have code that has not posed difficulties be needlessly complicated with ugly pedantic error-checking.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 14:52:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 23 10:52:43 2024 Received: from localhost ([127.0.0.1]:60513 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sWGsc-0006dP-U7 for submit <at> debbugs.gnu.org; Tue, 23 Jul 2024 10:52:43 -0400 Received: from mail-lj1-f180.google.com ([209.85.208.180]:44162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1sWGsb-0006dD-2i for 72245 <at> debbugs.gnu.org; Tue, 23 Jul 2024 10:52:42 -0400 Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-2eeb1051360so56666141fa.0 for <72245 <at> debbugs.gnu.org>; Tue, 23 Jul 2024 07:52:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721746290; x=1722351090; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=DWf/RGNi0NHwls8/q3pdpb9LVrF34sCNXTNhCfMgknw=; b=TTTLS2Cmn1K/0+AQZO87QoH0yCArx1YIGH/N9Ea1uGHk3EHk82x4wMDVDjS+gfd/Cr J03IAGlfADRPua+cgoo6QtHHZqLw8IZfy6Tvnh52gfPU9xY4yp0PMG0/79yqXnyphF86 +DPN1Sel6eCLoNMr3gHDnCJHuF6pDMY7STDfKFotyyFs44u7mEqk/Cwg+XWLtnuItT0Y jeoPaHezfK0iwjkKwkqZhXm/PGeaVIMELxXk1BfDssOiW+eFjPkIdiynZgQo1J1i9Bt2 w9AgqNXAgsL7Dfs3Muy0Jihksp+8AEA93bWuMXRqyYFr1fH0haxhG45jeLfNG+sBT6ym 2KfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721746290; x=1722351090; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DWf/RGNi0NHwls8/q3pdpb9LVrF34sCNXTNhCfMgknw=; b=LHOikxVZBcFs9T49YNHJSItSzLktErLtsRr80o2RKkcbeSI5ILICkdsR4MfSYKCcGA 7BlUUM25sKK+BWyqogq7kgXXeTAEisfPQyOOuKwr5XaWdDFaK4aTp4BYKKZZ84AEQym0 pgfUk/t8h4c6kfLpM7qp5aPcVvFHdJewOavk6o1+DR0tWgfphKLDN1b/KoGx8b47Y6Mz 6phwJE8+3uL6cESQLTVf1jdMdb3lGMGNXOE0WjUh5TdJyUphiiT+wxg/T9qOmNLC1MHM MjughhkKC1N/wpwHlTj0rHV20GJLoi2Dsfg1eJFDBfOnqjUgm5k6cMhrzvcGFMv/U2GU l66A== X-Gm-Message-State: AOJu0YxpqxJMg1hsfZouW+bUTf8hCXKJPNCcWquBCzmrgeSe4idThTJ4 kx8dn6cYkvErQKy1G0W+VckkA/iPBQf4DhyFkfChNJyX7fVKZCqFWYlB7lccwkZJ1V2UDBlQ4sX xh5Xy3VBRUHM9ZbYL7tnWeLa0/+o= X-Google-Smtp-Source: AGHT+IFVbM2LKGKqhvuq9EzTDfcgEbI4fR/y55oimCJP0Kr372+8FgjQl/LyU0nnw+lrAztU29c44OYrXfgfMd0Cka4= X-Received: by 2002:a2e:9297:0:b0:2f0:1e0a:4696 with SMTP id 38308e7fff4ca-2f01e0a4f0bmr24115111fa.7.1721746290188; Tue, 23 Jul 2024 07:51:30 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Tue, 23 Jul 2024 07:51:29 -0700 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <87bk2oyavb.fsf@HIDDEN> References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> <87frs0ydv6.fsf@HIDDEN> <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> <87bk2oyavb.fsf@HIDDEN> MIME-Version: 1.0 Date: Tue, 23 Jul 2024 07:51:29 -0700 Message-ID: <CADwFkmnrkyOXg+jK8hviCJaXH5xP_9Q3Zh7YLzaPPjzZ8R120Q@HIDDEN> Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM To: Po Lu <luangruo@HIDDEN> Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72245 Cc: 72245 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Po Lu <luangruo@HIDDEN> writes: > I'm saying that there is nothing to be done. This change is needless, > and the report should be closed, whatever opinions the security theater > might hold on the matter. I wasn't the one that started a subthread about security. You did. The primary consideration here is correctness. Undefined behaviour is generally undesirable, and is a source of both bugs and security issues in the wild. This is not "security theater", but a fact. No amount of handwaving or throwing expletives around will make it go away. That said, since you are asking, we are indeed discussing security sensitive code, that is executed without prompting, for example, when users receive emails or browse the web. We are also discussing image processing, an area that is notorious for the bugs and security issues that tend to lurk in its many complexities. On the CWE-190 page that I linked, there are several examples of integer overflow in image processing that has lead to very real exploits. This is not some academic issue. Whether or not anyone has demonstrated that Emacs can be exploited using this vector frankly misses the point. Let's start with making Emacs behave correctly and predictably in the face of invalid input. This really is the bare minimum. Then we can discuss whether or not we have more work to do, security implications, and all the rest of it. XPM being a relatively simple format, I'm sure that this code can be fully audited. I invite you to do so, and I'm hoping that this will reveal that your faith in this code is well-founded. Meanwhile, I reported an unrelated crash in XPM image processing in Bug#72255. Since we don't have an alternative patch, I will install the one I proposed in the next couple of days. Thanks.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 04:46:15 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 23 00:46:15 2024 Received: from localhost ([127.0.0.1]:58937 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sW7Pj-0001eY-1a for submit <at> debbugs.gnu.org; Tue, 23 Jul 2024 00:46:15 -0400 Received: from sonic312-25.consmr.mail.ne1.yahoo.com ([66.163.191.206]:34948) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <luangruo@HIDDEN>) id 1sW7Pc-0001e4-At for 72245 <at> debbugs.gnu.org; Tue, 23 Jul 2024 00:46:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721709957; bh=xPUH7I52otZPJkuMUr3bNQwih0G2Rbkx1vxCZh9f5/g=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=XN2H3n2+TCONBAdyIi/9SvYneHQ/mBYd8XDTxmhUlIMVZNVWntQr/2k2q1ty1q/rkC8owyls0KwOuhl4xfexr3rf1vqttuQHg5777n0VRbqQ2QWN/7AzIeq3C4+svcitWjbp6yGsKVWElQUkvsl8bY+5HUzm8jmfIbyHBIvvLbsQ/coKTiSss23clLENhJUHObds1rreRzot/Rp9001Cvu7FNaUn5/3JgX/lxmNtQQ/5+1D4s1L1uq10g4BqkR42qBe/pct6NwMagQa32AKCFYYDU+qDCMYlzgKEwTZp5cTELCsQLdITdNmq6Fg+Z6XpXSWCRT2mgSmvd85JiUfS6A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721709957; bh=13+dcZ3hF1+ofoLLDw1sv/XDFJuH9gOZ9v50KWsU1kR=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=MZFyEpQyatDrj5YfsPqruHVwaoqkrMY+v8ifCnQhw9RriokH9PQmMm7M53x3+Ae57yblF577k2i/GtHSJRhQeu4GCzTt0OZSHcUHmZ9uifq17SVqxrr5mUItLgHW+g2aG6roHDLo29GJx2+AtF6l5lpZqJQsvqQcpdKTIDH/M8pdbz+3eOffGMBMrAsL8T0QsX50TvcQ4r4HG+BV93D4GD759+CxcVZseKqsfPa6XKv8nJHcmfikbDYFPbzgN1s+utth7EavPAVURQoSFj/W5aW9MzsVbJouCqE5xLdmjQeD9H+euwEwN9RdKHfwUv5IzpIytTcmKXcC6dKNJhkm/A== X-YMail-OSG: GCYG.2sVM1ltCUzvyATWwl0nVaGeC.jpXNaK92TIa0eCX2GTmN5tfVbv9eM1Ht6 uTztLLL1_7V8BQy.U2MPMTPSE5s6ykn6BhWCIvcI8yDRFUbgdJobUtTvsrPqsWge64EdwGg0Yr3N 7AAAHSMIm6viFqyOK47noq5HjKKBotIfrWy8KwjefPXmkW8rXuR3EjjVx2hgAciWuL0rFE_2XOI_ bLObDGlCZG5JLHPVT2iPf2rq2nvRwpxTp5AN_hnva_S6Dh.v7FrtpyGFjXPRVG8tb.CSzTnifQwo F6xnv4K8R7ZGit7aFD9Sqw1P61u632sO8P2FSZJrHEfABe3S3LBYlgKTkKQ.7xwZXbr0gNCUgwoe foCmrsZZVsHgImdNmejehvVEw06X1YHFBu.qN2Yla3XyXh0MpMXpiuUxTIX_73X5YWFG_.B.BPeQ .Np.rK2u_KjGo09efC4NsdARhE2iT.GaWYbduzdrRkffy8foUic6k1zxMpi8znjUoixY_nty9Crn .dPHtl9V5bcdwObfxPLB_wrlBXPTAwGVh_ZaakG3lXKMyadaCd6nLu0EEdh9wt86HwbSsJPlKOl9 vhoYir_uMotHUSlkzly_mrb.1Fw4bVhYKuU8f8Nms_wd6uynww6eUXy2xJ6YLwqwOhQ0_uv.C7KN eXd8Z3pe_k_9Sw9LhUOg5WOdF3ZXG9dxlsLz8PW_x64Tu4Npd2ph7XlgocGJ0Qg9pEJpbIAvetA4 fMMB4XcJbI2yfH6kOXEUsPOe5t4Xc83aHkVOKYgp85Yt2vyvAo2nCKk.Y61__hkg6WMsjrT74H5_ KcqzjUImF88SXigOhibqep7Ezy0mbGM.z3ifyrDBNs.48TUA3KQR5v04eNV5Bg0xnlsMLU7fnXW2 uOnu47pffBrAy9SvSXC4hCOOLEng_M1xSYBS33qqESLQ1OHA18VBWhoJFD3eSNzEbow9of7l1dzh a6UmPh_HSEBZAy53NxTlMckvrEEcB3d7y48Q9drsCbpKzZ0I3wRfA3_RBdcDW9WyMehYGIecEvwk I3bSJPTzclK0SqJtqp1KjLMy5EEDNZdeyf2xgMsxhl_LEvgjYT.13q.65vJliZ2krbIWrCH9T5S4 iORfkAU.j8Fd4jHml2xTBoUDE0BRfVW7ywAAMlT54JwKR.HcUgFWAnD6g3BHYFze5R2AqXaztOyL pualkR0EdR2TtADGisDJwl57HE2KjBmKWRIQpImTMOs9VtbmNo9XSRvOxQsFEpKty9ZQ7CzChtmp PEvxPr_if25pVJGh0z5MOQ51J.OH5MgHbODiBGke5eBRzRM3wVkEACWJi.BIkJc18b7f.6xYI007 QPkevcOL0NhvC3Dtnbk_KT8n8_2U6Uw4ZR6_IxMeq6tun1pydwhajrhgMCZZRZnPLK4zZEpxRB6C NFRlCMYuEwTg7nNE2eOsjGtHDFg8PHKt4y3Uy43dxkxyG102eAu.AkhxAY87uZntOOOXqwy58RWE IGAS_k6xAE6OMLmgqBW_zaQzgjQx_9i2sQd7cc.gQDoa8OnjUIjtEIkWyms5_0T_2Jigr3KENLZ2 MGjVUJuox7J1r3F4LMYzKHLJphMsx8NGYSX0.JVVm5Jm_gvTGx0pRqx73gn4mXwwNI0BsPQvGs1S 53lpFvkEKmlnE7JiB4h13yF0.lreFMHi5xvDLEN8ybRInnyZHp223YFaZ36BN8sAtzwuUBzOdSjI a42DhWNwF34M2F8705EptezGitn_oWQe0bl0ofCCKYMX7UJPcUmu_sJNP4UINSs81cqzN_bn7Rzk iRwnaNnVDyIUXpPiQZ2mbMQcygfAf5p1nL6jIsVd1ImscSF3Nt6IUIwCU8RS0bakisV_.uNtGml2 yneem0kqRIw2.1l9gNPGpAmmXw2MFkr6BVX6lSTzKsPsMw0a5RszeVGIsg8nxvfznfb93l7c4wV6 TxwGcWGScKnegYpvlQRvs.5IOFeHqU7o_aLTXMkwACPkyVFoLZAoIkhRJ4ys1Ffv_NH7zoeA8HmM x5BbDJOa2DP_1bWq7ZIGiKnS.2myxYWVJ6ZBITFp8jmiOJMWo0kWkVNJZauPDjXgjbT8FS.0.QEN I8XWxCU5NCenntjHIIBQ8lT2qz1p.LWGWRGG3HaosiSCGGBcHqRmvFpYxtmuJjP3.yDc58HL32wP O5BU2_Y0j.vZxpmb9Rf7r7k4NVY0he1nr_mIO54LKIqCBK0SiXS8qkk1ErocGKwy8M1M5lgwr8yW jfwDhxgMugC_OEIbFkFChGGQtEYlfSW.z.AqRKbMuEDOf1vBEEIQe X-Sonic-MF: <luangruo@HIDDEN> X-Sonic-ID: 3d98326b-ac00-4711-974f-77e2fa5252ec Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Tue, 23 Jul 2024 04:45:57 +0000 Received: by hermes--production-sg3-85fdb5cfc8-gthtg (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID b819abdd08ed92135e61e0019dcebbf0; Tue, 23 Jul 2024 04:45:51 +0000 (UTC) From: Po Lu <luangruo@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM In-Reply-To: <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> (Stefan Kangas's message of "Mon, 22 Jul 2024 21:12:44 -0700") References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> <87frs0ydv6.fsf@HIDDEN> <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> Date: Tue, 23 Jul 2024 12:45:44 +0800 Message-ID: <87bk2oyavb.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Mailer: WebService/1.1.22501 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Content-Length: 650 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72245 Cc: 72245 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Stefan Kangas <stefankangas@HIDDEN> writes: > Po Lu <luangruo@HIDDEN> writes: > >> Otherwise I can find no reason to substantially reinvent the wheel and >> complicate image.c with a pedantic 10-line function for reading >> numbers with overflow checking, implementations of which already >> abound in that file in one shape or another. > > Thanks, but this diatribe doesn't really help. If you think you can do > a better job, then fine by me. Please show us the patch. I'm saying that there is nothing to be done. This change is needless, and the report should be closed, whatever opinions the security theater might hold on the matter.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 04:13:58 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jul 23 00:13:58 2024 Received: from localhost ([127.0.0.1]:58930 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sW6uU-0000sD-3j for submit <at> debbugs.gnu.org; Tue, 23 Jul 2024 00:13:58 -0400 Received: from mail-ed1-f46.google.com ([209.85.208.46]:54287) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1sW6uR-0000rz-DK for 72245 <at> debbugs.gnu.org; Tue, 23 Jul 2024 00:13:56 -0400 Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-5a108354819so4620473a12.0 for <72245 <at> debbugs.gnu.org>; Mon, 22 Jul 2024 21:13:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721707965; x=1722312765; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=aiuCeJ0GeiQ3zbD/zHYbheIQ8c1tRu1rGChO3bgxM10=; b=OfxrI4Sh9CYBYMOgByginYRQVvBVQ8mpjtlY3+bRSW46U0izkAUtSNqo/a9Uar+V8g E6jx2pY6JeNFuWs0Fh9ll5Wc4dHl65OtzEs5FUB7KmA1DxB4da3xMB2d4PYetQ0BqGuy dzDKCl/SNSQmLELDPff2uwq3V2PGgz3TI49uQ8cHsYkC7tm0vbQVbRUJKSi0AzfdA30I HDAU0Q/d3HkCo/JyL8cukXqgHnETdW0BlMka3dVwXlOSzo50ka18xnmbJBsOuznvpJxV WfKLc0v0r2wDR6muQnBi70v+ozq4BKMPwbJCjVMjc+0MVx/amn2torVYbr18E0rxYR/K kmkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721707965; x=1722312765; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aiuCeJ0GeiQ3zbD/zHYbheIQ8c1tRu1rGChO3bgxM10=; b=fREYnx0f8oxO2auxoalw2PC6W/8sPM16bgAQ9R0MXxkik2mIuz2rVFQJBz4cg5gpaA OBRzAjmySd8t7+lzF45Wg9LzDbgqg7RdFNLvAOvJisnZEddUONl4Rc24xR97P1+vvs33 vDfOa6icCCm2Mumea3KDYjYL8shf9hKC2ujqd9FeBsQTp7iVnOKrehHqkfBDnlNiXzAK pAuSwtc6KPLhmPNIz1cidik/SIH6dYqWLRxSgRMGEFXKx5mdNGbIIxqB6ELDS8o30QNS UXE2ithsleuhbF9R2dC15sFSHCN825IoMGlLLxVhBNQ9P0kvGqgnReEgsCbKdfJ0Wm8P dYfQ== X-Gm-Message-State: AOJu0Yw4aANDgBvYjzkMpQ9XE4CG3hyPElLIhxDZFyMloVpBNoIiDTGQ g0AtbkP2P/F6IYOVl8Y3Wx/cmLeFg3r/CBFlqQAfODzfOzteZF6noPSyWn6gFgRkz+aePq8dlT7 6kK9yzTtfqIEyKkW0izhbXfJ6vEA= X-Google-Smtp-Source: AGHT+IGwsZPQAt07hW34mMK5ks64BWCMST9RXji3osGva6uwR0pgSK8ixx2IrpUt3j1HrHjSQCAhdhtBlRPENLOha3o= X-Received: by 2002:a05:6402:11cf:b0:5a2:eab0:4a with SMTP id 4fb4d7f45d1cf-5a479b70b58mr6642904a12.24.1721707965409; Mon, 22 Jul 2024 21:12:45 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 22 Jul 2024 21:12:44 -0700 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <87frs0ydv6.fsf@HIDDEN> References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> <87frs0ydv6.fsf@HIDDEN> MIME-Version: 1.0 Date: Mon, 22 Jul 2024 21:12:44 -0700 Message-ID: <CADwFkmkDDtfrc=ciXnbi6qQ0G7R=x7TeoO6mipWrt+e6Dhk43A@HIDDEN> Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM To: Po Lu <luangruo@HIDDEN> Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72245 Cc: 72245 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Po Lu <luangruo@HIDDEN> writes: > Otherwise I can find no reason to substantially reinvent the wheel and > complicate image.c with a pedantic 10-line function for reading > numbers with overflow checking, implementations of which already > abound in that file in one shape or another. Thanks, but this diatribe doesn't really help. If you think you can do a better job, then fine by me. Please show us the patch.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 03:41:28 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 22 23:41:28 2024 Received: from localhost ([127.0.0.1]:58882 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sW6P2-0008UX-7f for submit <at> debbugs.gnu.org; Mon, 22 Jul 2024 23:41:28 -0400 Received: from sonic305-22.consmr.mail.ne1.yahoo.com ([66.163.185.148]:37368) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <luangruo@HIDDEN>) id 1sW6Oz-0008UG-Bc for 72245 <at> debbugs.gnu.org; Mon, 22 Jul 2024 23:41:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721706074; bh=L18uE+GTrZgOvwCBWHx8cPDpwYKWmLZFhwLNANtlusQ=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=Y8zWzGL96eXuLwjPQzHKMiKMHfpWsy1ykUS+yWdI3bwsg/vLkOkBEJ5dp/GJry5AXv5AkY1Y8OAmZlb6l9fWXL/TOQKNq6Y7obP/YTeD+j8KCByhrS6q6foFaS/7Pel1V89AGKbsOcMEFSaRy2D9z4xg74H4MwIj2PHtk5+6WNSIEjpe5c+zWjzZP9Xf+uVtIglM9r7hO1pZu71IDSoN46y7KHQZ6YYhsrDgXmd1fn1s9Ecg0lxGgmMDQYEJG+yl1JDt8h6E269PB0B30ecPbA9B4CoUNxZGDBfB2tWAp+rJ+6L7i0tL/mAttJVSOUYvxB3BWurJ38U76c/To6/BEg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721706074; bh=Hs437lz2QXXXv+uwNLrKDCU5kDBriYWAby2j10ZkJ5/=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=dO7ojFJzGvXxnWkapOMXjEaPwWzr1+2kEm60G+hy2hIsobN5vDJqzWrYuoshmZJGZ2j2PxE3ZaDYXvGJzgMJ8g9EGu8CAwAnUdPO0q4j7gvo4qKt6jLywGVy1bDA3SC91/9kM5ZlVfSXKgU3xuv69UOGTCFzHcvmFq1W0Vsyz3jezOrUmgc2VORwjREwo5KabMSvlxuaj44fY1+RHxA0ITP2KKbWw+eLIa5rQuqMyhqp+lLmpwucWwKvKFmmojfEzxvudaGQgPharRL4e1l5UArCa0YLBQ/tJm8T4w+OvMEmVw8nD+a2vIoBGnzNPz+TmHhJVq97uY2kUMWRbNGZKw== X-YMail-OSG: Usk4bnIVM1nCNERSKfuqeUnbCinijL39S6ikNmQZlHea9Vm2W4KVGcoVIkabssr iBMOTnIOD.RJFs4gdBrDDgixT3O.Sl298zu8QIwzwswezhaHKSoTJ.3Au4x5iTBw3q1u4Bvc9SA1 0YHj84UvCelTxHyeQ7KlkukCuZp08J4Z0IGqx7LK0exDLP15p4oOt9.CQozOOmjmr2KOTr_dk18w lcGDBEJnDHpR6nmuO_1vgZ0JhKVqhbLzo7kdowhUC4jb.115MYNBkLKii_Tb_xlMrs972a.ggYWa djzo3VHsbG85H1.RAP1VqG4llmxjCGqXSaDv5f71bQYsJ08SHKqC2jcpY1pKXrIWWgON7AGGUCfz upoHkAc.vmpWGpa3DQFXDV9Twa9DsoyMmilWQ_VyBkVs1zrGT9XaYHxYciUSxlSyu6YEcBXSHtDe .6l0kMPzv9q.Rs_CvQ7aUZURDoeJO2Gr6obeH2j0cVntgs22sFsGMtZNw0Hv1wbRSU37mwwv6Kh8 XyFPATt8euzxde2UJce5MXoV2rglTLZA_WhmjwhmmJyW81cxr3i3l_7x0.3JG4TEd_FJ5_kgUjIN gm_QOYdhNgOl83JxaB6QOPldX45kC9l0JCdIyEv4kaN_ciGLCaEttZUNLBKPrFIUjXdlervOZ_fP iQF5BoxeDFDh6qssr27cHjTAIY425N0H0n4CQboWK43raqO1NWptjBcxnsmwKOSBDAyeY0ZPAonF CSoGu_PXneuniyOIDdFZDGsmPblAQcWhs4d2jXG4izHo4WQQQuL6Elgew9aTRROMS3BkiySBjljc RYa_tExLvBzyRCwGsYLEi_WzXFahIlourSZVNZv2.Ey0rdd46XaHtxtP6go1ekVuqBxL.GXjabiP SlG4WoG.nIryxbsnhV6nNyhfvvF89i8lkMsiKih60aiwnO46lrBnt.4EerSA1ZSPpw0ukHEUj3Zi YbL_5WQ.h4vUbFFTtV_VTaEiHGBr.ziXO9fqlRf548134Pe4Ex65TfLRRY8PtHNzTpPj9bjllv39 oy_uFAn_P_KSziW.Io.06Uxxn3UKbs9BuNSuEHnz9.OeRBzbNSrRCZGslkjDIhIQVYel..HlneFS 6Hpb2hFiT1Oj55DgCYpLAHnZaLajTySN1H24g9Eddvt8wjNzBNxuPfIpJHaR9Oyuwn5jRjjCjUl5 i8BTT.aRpbw_CX0u6TjPekqtnk7TtplU7dpBZma9uJl_bGIl735hQBApPx2CLh1JpScePqCxS3L7 qDTqFeCY1z6YenpZ12dZ1Z2khB721nlBys_J1UzsuQH2qeSOdBvXljIfVkHmmjxD19c91u5vBA18 GWQxsQcz2BgKUuXPKi65TavP.HOWSswlt8UBhdRCj4Vkaot7cTyK1z.3_GpBwn_I3ylUsfHywL03 dwiezJwY9mBlW1wpS9WbPtptf9FWSFKZ34tcOh6Rs7ONV3kOkzDKJneBqcFjy0_dX_7.QpjnmmuN TzE3NK50S4Al50S6W3Jk89yLM.LMhjs4HKJ9GoIZP8.SCmtxSdXQEuVXONO0piPpFBtUruj6z_WZ otHGcPr35DSILxF0lgqm0iD7TPl4Ys1gfuJnbLS9YCLyMMJbtrNS2tKgDgkO77yt_.uXV4eKFw7W UgDQQb46Oe0DIJhWK7O8kCbaz6ScMGObg0ucI_OolivBGA.quptJ5FYGexELcZ82oA33xfGJtrzz MrroakQYrrGEKSciSMkQDpJ_FAV8uenW_vS.TEutVnih4WpXl_hUlmVcm80ynpZEZYHQptNx9SoE 2qpsetEClyDlAjL1UNSWkjRdHvmPPrCvGH_.30QsPTq6hEJmQJ_QndqWcx_j7l7f_5oRIhdGNIeo QGNtDyH89lqwhoLD3gAkqZWobVklQX0E.QTWFLEb2.ku8if2aJo7fAICVAQSFcyKO.aI8VvamxnH 4rSShtlb9Vp62ZoLNv6AvsvsvjHL8kC1GGJflnit6nVevFHk1P4wKWgbMYIEA49.J93GxlWpJsJ. q8A_kjLt0Kwl4zGruCuQBl75EUxrLJx.GoeT1sPzY1nxykwTsZyl4j1.blfbeq2vH68G.7U0CLEG jacb5XvFayAO2hDe97Pq15v.gYQZwmuPjMz7pgMThdC8MW3a73ye97wkOAnfuXHVMBhb7p0x7_lE nWewW433kuLcxRq2Znp30uLgfx541vfuoK7y6qKBdsHAAOn9bRsS7CkUNVKyQN6d3DDVNcRNZoux CDB60_A1S.8cfAIJQlPQO3YbzDV4pQN1HRKkyQdNbspA3DX_wdk0- X-Sonic-MF: <luangruo@HIDDEN> X-Sonic-ID: 978d049a-c3e1-433c-8398-b372f29beb11 Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Tue, 23 Jul 2024 03:41:14 +0000 Received: by hermes--production-sg3-85fdb5cfc8-shhxl (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 3a90141331330bf294596d57e75e9133; Tue, 23 Jul 2024 03:41:07 +0000 (UTC) From: Po Lu <luangruo@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM In-Reply-To: <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> (Stefan Kangas's message of "Mon, 22 Jul 2024 20:04:23 -0700") References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <s54o76oooae.fsf@HIDDEN> <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Tue, 23 Jul 2024 11:41:01 +0800 Message-ID: <87frs0ydv6.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain X-Mailer: WebService/1.1.22501 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Content-Length: 1033 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72245 Cc: 72245 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Stefan Kangas <stefankangas@HIDDEN> writes: > Po Lu <luangruo@HIDDEN> writes: > >> Stefan Kangas <stefankangas@HIDDEN> writes: >> >>> Severity: minor >>> >>> Since XPM files are untrusted input, I think we'd better handle >>> integer >>> overflow when parsing it, in case the file is malformed. >>> >>> Proposed patch attached. >> >> What are the security implications of accepting whatever scanf produces >> in the event of an overflow? > > There is a good summary here: > > https://cwe.mitre.org/data/definitions/190.html I'm asking which component of xpm_load_image is not adequately prepared to reject excessive values of these image dimension fields, for the immediately adjacent statements verify that width, height, num_colors, and chars_per_pixel are not invalid. Otherwise I can find no reason to substantially reinvent the wheel and complicate image.c with a pedantic 10-line function for reading numbers with overflow checking, implementations of which already abound in that file in one shape or another.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.
Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 03:05:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 22 23:05:37 2024
Received: from localhost ([127.0.0.1]:58861 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1sW5qL-0007e8-7t
for submit <at> debbugs.gnu.org; Mon, 22 Jul 2024 23:05:37 -0400
Received: from mail-ed1-f52.google.com ([209.85.208.52]:51627)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <stefankangas@HIDDEN>) id 1sW5qI-0007ds-6V
for 72245 <at> debbugs.gnu.org; Mon, 22 Jul 2024 23:05:36 -0400
Received: by mail-ed1-f52.google.com with SMTP id
4fb4d7f45d1cf-5a167b9df7eso4915244a12.3
for <72245 <at> debbugs.gnu.org>; Mon, 22 Jul 2024 20:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1721703864; x=1722308664; darn=debbugs.gnu.org;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:from:to:cc:subject:date:message-id:reply-to;
bh=uVf9z17RaQevAqWlGn6ncehVVjLVa+LdQwaIcZFJNSY=;
b=VHOwp9ZmmvRXI9ciCT2R1UMseRfiMmuMqCNlYqe+Cw79j4/0dNaxaVBYJ6lYXPkPNE
KOno/sTddFuI2MqWkpjAslEzruELHT4jO54vVrdT6WKJ2zkmOFnNtlAApXDn2Ag3W2ui
aJdRvS/vbHkgizGC3DiQw+PdniZjPzqoB4is++yAiwESEybMmkE1CoV0OcFxAq3Se+Z1
MZr4i7UaYSLv6emtKyskwZZtIm1CKNHKi+k9jlEJWe1d6kjihcdRJP78TGuHD4fDgz/l
1VaMYrhA0PxFRpoBeL34e56uhP5PTWc+TM9BzwtvjkS+FlYA5K64Iok3UL27BH3dhky9
kILQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1721703864; x=1722308664;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=uVf9z17RaQevAqWlGn6ncehVVjLVa+LdQwaIcZFJNSY=;
b=f6F5KvE6wGugckC5bhgHItFfgqMy9XK+W4tLNGmjnsbfYegZjn4blsm23/dqTDdndP
+kp/DsAAUDUnZoU2ZFmIs1aGZXUfUV360ukmMpTPbO7h5gJGSo2JWpnCpRo0pP/MERoc
ID90eKqVQ9MpkLMUTMF3njBIgxPg5mH/Rc+PsA+Ih6fIQjwYRDBolwMHyR9DdSV9Z4ap
KWbkVb/z4ZrnMwfo96blFW14LUEbB9eoV2cN7/AdcZcoiSNs58+o2syRnPeSogreOHPf
5O0VqeZzt4h+lxCH6VIf5qLiAV7Rw5RPSnnV1QmUBuKCzvSOXnW4BmuVfWr4F76MNVDX
N3RA==
X-Gm-Message-State: AOJu0YxiAXeIO95txFq75AqtMiO0pfyISdijTJ+evK8aOiLsomrmCIQD
o9nvWj4aUnxnl2vMZ4UfAD7dC7pQXmdFUck8qcEDye+443ls8k6/OfsVOEPE/eVuqS1cfvVX3cb
0oCtlD5kcvoc0tIlvFXQTd9NHSvQ=
X-Google-Smtp-Source: AGHT+IFGeH5d4DSDacsqLNFuK5iAFTNKVfdzcQEz0IIv6Aolr9Yebp8tvVsnMS7AYUac50I5iy2aczm3rpyWG45P5h8=
X-Received: by 2002:a05:6402:2809:b0:58c:804a:6ee2 with SMTP id
4fb4d7f45d1cf-5a4786822d1mr7006216a12.20.1721703864201; Mon, 22 Jul 2024
20:04:24 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
HTTPREST; Mon, 22 Jul 2024 20:04:23 -0700
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <s54o76oooae.fsf@HIDDEN>
References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN>
<s54o76oooae.fsf@HIDDEN>
MIME-Version: 1.0
Date: Mon, 22 Jul 2024 20:04:23 -0700
Message-ID: <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@HIDDEN>
Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM
To: Po Lu <luangruo@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 72245
Cc: 72245 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Po Lu <luangruo@HIDDEN> writes:
> Stefan Kangas <stefankangas@HIDDEN> writes:
>
>> Severity: minor
>>
>> Since XPM files are untrusted input, I think we'd better handle
>> integer
>> overflow when parsing it, in case the file is malformed.
>>
>> Proposed patch attached.
>
> What are the security implications of accepting whatever scanf produces
> in the event of an overflow?
There is a good summary here:
https://cwe.mitre.org/data/definitions/190.html
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 23 Jul 2024 02:06:18 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 22 22:06:18 2024 Received: from localhost ([127.0.0.1]:58823 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sW4uv-0006Bp-Vo for submit <at> debbugs.gnu.org; Mon, 22 Jul 2024 22:06:18 -0400 Received: from sonic311-25.consmr.mail.ne1.yahoo.com ([66.163.188.206]:43333) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <luangruo@HIDDEN>) id 1sW4ut-0006Bb-C9 for 72245 <at> debbugs.gnu.org; Mon, 22 Jul 2024 22:06:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721700365; bh=YkWrjVLt0ddpXuklNG/0uAuJ+Ub06bLsC0uNOXtpiyY=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=bGnsaqEp3mVk+L710IVyiFj378q3z/glbfLACf9Q24N/MqsLcDsb8MbCrJy8J1PjM0T75xGm8tDkK3rRT+ZjhokUjecmZdyRwLLmcr7a3RIFwVen2ndavUUY5eSO8T9QMUCHviM5pn6pCox+TKcNaXKA84jLlTL1YVsm/1Y1E4xxXf0ZVBqCFkvf2M87mtC78T6oaiVZf+Sk2oCUQzCx75WCjGMxb4ixTvJhx8k3SFMBa+cKl8vWvSADhOoQmWTGpmAuhhmqu4Sgjt19A6zuGl7pyj+xN1e8REsLqkyUGkOQ2+yRpgoo+x+u73wXWAutiK5a69sLxYYUI1YDlk9cZA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721700365; bh=8CZ2fZyTS9iZN/qHA3NAanDn1sP0AWxPo/xDgl2oSRf=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GrV6YgKxVEIs1XWD4HSiYyKkuxrc8Nv3Yx/3sJ2q4ZB8HTFlPeYsYD65i4yhAcQny1HRavY889Bx+meHXmjPcmgZ3JTmRFj5uZgXx+vqBpN4GHIGF0yKzujOYjQC3d8g6oZZVzj0R1pj0benAjUD0XUmhzTZceKjK5y6j3zzvtsKg9u6NoDJnRbIV5ciFgqwZ+NQRpIg5y67oP8Vwiss/lv1pSvf6b/JadDpXYyC0SF21mRtCmM2VpqzBQw7DtVD5aBr7dFMecK+lNJ8tErTB/h0QvAu3K66bONtNyr4Ro/Brz/6wqVfkWw0EP8nEYDWwCpCI1qCrFSQraG6qNK2Bg== X-YMail-OSG: 21GPbc8VM1lX.zlie7rkyqrqImRH5qUvX.KjsYifbqza4DhaKMhuM32Ku6qc_p4 gCjtkKfRFySr7YeaB2RjGR5EfTLiRQsrC2bPCQnkoTP2R5HkWROQsAcJLsxVFfzKZzvyE9mxYlMV 5z31POZZJkk2v75MEiIO5qIL2aS5TsFaHQuHzsqb9oRiYS0T8Rp6yvd7jycKhBp5lzYR.7bOZV2H Cd.2RFAHV.5_Oj62qRZnUp1GmdCATNaNKBwaUVpMdeOvpebZfcQGh_P49ZeIXiDrS1PzVObXq1WY oRZpDF.jRmRSbSwnwKNn3wDQXonHyqqpfuy_vDHJf3Z4hgB8nLDYLmSwtLSIo8xneOq47vr6ybw8 fOE7Mkema8ySU.7CE58.vbjonrrT.kKOjCNfdI7L_1SYKicd4ERoYHYuV7PvK5m7uylC2zKYNmo8 or8AWPvsahRfVfQodfFgrmQk7dxdtpc4iq49Aafs3Z4tE.NYGlzTSQRB22PbjSDAoWrXVVXe.Bqy cMay22zXyJtVw1BBrRv9bhES4GRTafXW4h.J.or1GVhSMyXfcVFGO_yNpvuvFH.HRF3pf4ExPU0k HEpQxrN39Kkoqk_O7K0fn9zvrwji_VJopgTYLDI9uYMHAJ3ecWKm6QYKCjUU.WxyLQ8E4gIgWK_9 fSBYCxiOShB8WumALDRIyouW2LFOs_CJqJUSoA8.q3YoWzUXqdY9hawWGElc7aRZqBS04zs8e7UA klZYXpY2G_d44JqhI3pA1xhMF50DtO.sjCG4S9YRhjvm4pdJxycpYt075P0E11GyD7RmyhnnAunA .ZBEt92gEPzChFQeZpYUrn79B.2l2hTVOJUQ3OjK0tz0da3r77hJFgy0cEVxuSATPZjIDFE1hv6s RVMHIywoxlJMEfKVyeAw_hJOXZ01KVmzf.2yGoOcRhQpSZa8XnC_ctSxLCAvSn64FAioU9W97sqY j57JnN.O0yE8YX119BVgdrbkd8jQjyqmx9opnaaidPLfZhqNmTJUelPW4D6k_Cf9Q5SPSPT5cO4_ .l82ZNKuTe3XTyMNpRqlg9f_J8EeXCUsxiw0me7wspuO.bcXZhIRoFV7aqF9OWYw46EtOqf2B5uo tcVw2hhgE3VBDlMzzWQZNig7BFqac5y3GM0yUptcXl90Jj6xWSJ5oQecssyX8pGqqgzZz75.odux k_Lagn8EtJ.Wd8Gb3e8gHxAqX5V65ArzUcjyf7E_wXnUNPdLT8qEekxxpuqECUmVYiLIgp3xfYtT yLgzrPTUYR.hq5ap6TQ.hMPiNE59sFs6Mrzy_J6VYUUMWjht2hdhfV0jzd0Ec7qxmsoGl2gG.myz 5o0yvaRPMpaY2HoSoV_CQfKVdDsSKihWBb2sLCa_2UFRe036Cvt92dO93SKzqLJJVPYf4mGW3lic KIg.a1ZyMxgoAR8_JGrSF9kFSJGzca2Cdp5ORxMufUaDUpv9yrVqvKQOI7hqmtQ6xUQeuxbFEQNV 2i87KMwC9UsLsSnq.aSfbiRXidKz00vnXPus8NBm3pW0Cf6bUk42Bnqo_1T_0dn9apnGEldEk4uH mkcit0jB0DMia2mygzLZQVkiKHKxATS04aC0BDD9zjj2dDu0uoltV.o4rMVv_QuenzMYIxROD25N ShJzKcswoztg_f3JxdOS.4fbXFVK4no.QsBv3MlwAGtEerZ3yKKBtF4R3GpXgr1zMXr5UJSpGG9q YPr59VmD8PlrOIkibrTbS12dbvvjXtG2mCKpXhVX4hBHWePONE_NAtAfJfcnP.15E4WVQGfl9FLZ 0f.Dox9gCReExslYaARK5A3n29saSGUWJS0vFpMM0XWS41mQcYzYZ6WWikzmnEMuHMLceY_P61sT P6QQ8BzwzLyx3NWSF4IdfzyyfFWrP_qMqSHOItjV.TQWp9srOIU55K.yEdflEbAfoaQgT1l8UivP eFFnQPOa3Xf5iKOI.Km78p0as__C5xBucbAimWTvc4wvDsPgPdgWbT433kUorUAsyM7QWeEvynlB IYeJ0dbuZs5E9QVBn8dxvAgwx8NQmKgqA2KcGeg5Dur3r2wlOEbyS4DgXzuwF5oh84WWQAPPASBl XtU.ImrYlTUBJG1TCB7Jc1cDrzJdz0esq4cEpmb02i9r8IhCOSr6zwmX750KV36P4WsMPm.Fv42A j7e2F5B8Qty1L4Hauk9rzMUDVoI.9fbne9SOQx.XDQ.NRH0izad6zgAAowdgR_E8aTWj8KdFCYc0 dT6ZeTG_5iC9zHgUwtkAogSk- X-Sonic-MF: <luangruo@HIDDEN> X-Sonic-ID: e5105737-20f6-445b-98b4-9813bf3e9cae Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Tue, 23 Jul 2024 02:06:05 +0000 Received: by hermes--production-sg3-85fdb5cfc8-9f8w5 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 76a97bec104d244cbb8407bac9679f54; Tue, 23 Jul 2024 02:06:00 +0000 (UTC) From: Po Lu <luangruo@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM In-Reply-To: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> (Stefan Kangas's message of "Mon, 22 Jul 2024 07:35:55 -0700") References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> Date: Tue, 23 Jul 2024 10:06:01 +0800 Message-ID: <s54o76oooae.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Mailer: WebService/1.1.22501 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Content-Length: 334 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72245 Cc: 72245 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Stefan Kangas <stefankangas@HIDDEN> writes: > Severity: minor > > Since XPM files are untrusted input, I think we'd better handle > integer > overflow when parsing it, in case the file is malformed. > > Proposed patch attached. What are the security implications of accepting whatever scanf produces in the event of an overflow?
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at 72245) by debbugs.gnu.org; 22 Jul 2024 15:49:41 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 22 11:49:41 2024 Received: from localhost ([127.0.0.1]:58470 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sVvID-00069J-9C for submit <at> debbugs.gnu.org; Mon, 22 Jul 2024 11:49:41 -0400 Received: from mail-ed1-f51.google.com ([209.85.208.51]:46564) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1sVvI8-000694-Iy for 72245 <at> debbugs.gnu.org; Mon, 22 Jul 2024 11:49:39 -0400 Received: by mail-ed1-f51.google.com with SMTP id 4fb4d7f45d1cf-5a2ffc346ceso3207279a12.1 for <72245 <at> debbugs.gnu.org>; Mon, 22 Jul 2024 08:49:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721663307; x=1722268107; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=69jAXZIOIYbJuqilWgZLvhV61FXsEfKBEVfCl/OPg7o=; b=P648QwLTF7sDLZEAE7vcKGVSId8GxNx+gskXuu2dPPuuMxLI4R3yOQHujYfT0jVgxe 1x9N88j55sh9GGvpy5Shv+7UUSp/f9OxYrSwgXcLIMJ7SWHaKDLg1pAGAkfR7RvVEeoP z9Lmtl6TRRGYc296dMGgy+aFvpRGHAjDB/St5R2q5B4Me3z/Wr8i2NbtPs16T1am8Sw1 tdWQrnmicxD/ot7B+//R1LO63ujrJYMVOqhXlrJOnuTweuy483MC9aaMRSScEtbrU2/F EJlb1yvAqpBPjsGilMMhCuUBu9eYfeF0m5Q3irGZ1Yij/6hWHLgzRAT895Eb0qTSIpL6 1R6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721663307; x=1722268107; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=69jAXZIOIYbJuqilWgZLvhV61FXsEfKBEVfCl/OPg7o=; b=H5KYTYcCJXijAqcQsJ+8wMD8wOxzp5FAQe/4lvkhZ4n6s8svydgc2xK0u0ckX8tIFn R7zJEjf4weB7iGPoth4bL9z9cYlOdghAjK+2TMpAaGClrFVUYCI6xfWr1lFFekSJdunk ouLo08PEBrOgRrVVQevBnnYG5ybWXfNWcqjexePjd5g4Olzz19D01lPuKxD3IBuqN7vC Jy60gBG0ZwaajERx9ky+pNC6OwyCsRyIjGQ1wNg6M66nQKsxD4GUGehDJK9cRLz1XdUs NrnnKAAIvVFFUxPz3bQDnMg1s9/Xze+KCWH9ycDzXfNzdT9ZmbSb7I7JLkeYMPd7Eh3W p4SQ== X-Gm-Message-State: AOJu0Yz4cS0dyxpzWufcZv/dT4ItcDLz6N8yJUkNbsGX11A7dn7hom1B YHvL5lwk5mcNN8z0A5VB4DODniPrBfDuD1dKb0KCiFg61hV0HRenODyj0IYEXjGj1sgI9roa0Mi aTC/dzwd2T17g+osRGdRa0W2Zfss= X-Google-Smtp-Source: AGHT+IGo1cSUDyr05NfxhyXxW/rhrQE4911u8R/bTZzecnBC4g4OvqEEAaITcRMTYwjHTPl4RWmMw6dyIZ02kDmPEh8= X-Received: by 2002:a05:6402:35c8:b0:5a0:f666:88c5 with SMTP id 4fb4d7f45d1cf-5a941f17cbamr229613a12.13.1721663307407; Mon, 22 Jul 2024 08:48:27 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 22 Jul 2024 08:48:25 -0700 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <def89214-f8e0-47ae-9d12-ca8c58590f8d@HIDDEN> References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> <86ttgha2sd.fsf@HIDDEN> <def89214-f8e0-47ae-9d12-ca8c58590f8d@HIDDEN> MIME-Version: 1.0 Date: Mon, 22 Jul 2024 08:48:25 -0700 Message-ID: <CADwFkmn6e5DHREw56wT=+wqJZGmWdpN2TtsrxjsvGM8zu3Q6DQ@HIDDEN> Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM To: Paul Eggert <eggert@HIDDEN>, Eli Zaretskii <eliz@HIDDEN> Content-Type: multipart/mixed; boundary="000000000000dc8d66061dd7f938" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72245 Cc: 72245 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --000000000000dc8d66061dd7f938 Content-Type: text/plain; charset="UTF-8" Paul Eggert <eggert@HIDDEN> writes: > On 2024-07-22 08:01, Eli Zaretskii wrote: >> + if (p == *buf || errno == ERANGE || errno == EINVAL > > This should be: > > if (errno || p == *buf > > as other errors are possible at least in theory, and p might be > uninitialized on error. > >>> + return (int)result; > > As a style matter this cast does more harm than good, as it will > suppress a static check if 'result' happens to be a pointer type, and it > could suppress a dynamic check on some debugging-oriented systems. I > would say just 'return result;'. Thanks for reviewing. I've attached an updated patch with your proposed changes. --000000000000dc8d66061dd7f938 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Fix-integer-overflow-when-reading-XPM.patch" Content-Disposition: attachment; filename="0001-Fix-integer-overflow-when-reading-XPM.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: 80183bf9a447c0c_0.1 RnJvbSA2NDQ0ZTRiYmQwYzVhM2FmMWU3OTE0YjZkYWZhYTViOWViMGNmYWQ2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t PgpEYXRlOiBNb24sIDIyIEp1bCAyMDI0IDE2OjAwOjMwICswMjAwClN1YmplY3Q6IFtQQVRDSF0g Rml4IGludGVnZXIgb3ZlcmZsb3cgd2hlbiByZWFkaW5nIFhQTQoKKiBzcmMvaW1hZ2UuYyAoeHBt X3N0cl90b19pbnQpOiBOZXcgZnVuY3Rpb24uCih4cG1fbG9hZF9pbWFnZSk6IEF2b2lkIGludGVn ZXIgb3ZlcmZsb3cgd2hlbiByZWFkaW5nIFhQTSBieSByZXBsYWNpbmcKc3NjYW5mIHdpdGggc3Ry dG9sLCB0byBjb3JyZWN0bHkgaGFuZGxlIGludGVnZXIgb3ZlcmZsb3cgd2hlbiByZWFkaW5nIGEK bWFsZm9ybWVkIFhQTSBmaWxlLgotLS0KIHNyYy9pbWFnZS5jIHwgMzMgKysrKysrKysrKysrKysr KysrKysrKysrKysrKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgMjkgaW5zZXJ0aW9ucygrKSwgNCBk ZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9zcmMvaW1hZ2UuYyBiL3NyYy9pbWFnZS5jCmluZGV4 IDkwZTYzMTJlMTI4Li40NjRlNDU2N2RlMiAxMDA2NDQKLS0tIGEvc3JjL2ltYWdlLmMKKysrIGIv c3JjL2ltYWdlLmMKQEAgLTE5LDYgKzE5LDcgQEAgQ29weXJpZ2h0IChDKSAxOTg5LTIwMjQgRnJl ZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLCBJbmMuCiAKICNpbmNsdWRlIDxjb25maWcuaD4KIAorI2lu Y2x1ZGUgPGVycm5vLmg+CiAjaW5jbHVkZSA8ZmNudGwuaD4KICNpbmNsdWRlIDxtYXRoLmg+CiAj aW5jbHVkZSA8dW5pc3RkLmg+CkBAIC02MjU0LDYgKzYyNTUsMjYgQEAgeHBtX3N0cl90b19jb2xv cl9rZXkgKGNvbnN0IGNoYXIgKnMpCiAgIHJldHVybiAtMTsKIH0KIAorc3RhdGljIGludAoreHBt X3N0cl90b19pbnQgKGNoYXIgKipidWYpCit7CisgIGNoYXIgKnA7CisKKyAgZXJybm8gPSAwOwor ICBsb25nIHJlc3VsdCA9IHN0cnRvbCAoKmJ1ZiwgJnAsIDEwKTsKKyAgaWYgKGVycm5vIHx8IHAg PT0gKmJ1ZiB8fCByZXN1bHQgPCBJTlRfTUlOIHx8IHJlc3VsdCA+IElOVF9NQVgpCisgICAgcmV0 dXJuIC0xOworCisgIC8qIEVycm9yIG91dCBpZiB3ZSBzZWUgc29tZXRoaW5nIGxpa2UgIjEyeDN4 eXoiLiAgKi8KKyAgaWYgKCFjX2lzc3BhY2UgKCpwKSAmJiAqcCAhPSAnXDAnKQorICAgIHJldHVy biAtMTsKKworICAvKiBVcGRhdGUgcG9zaXRpb24gdG8gcmVhZCBuZXh0IGludGVnZXIuICAqLwor ICAqYnVmID0gcDsKKworICByZXR1cm4gcmVzdWx0OworfQorCiBzdGF0aWMgYm9vbAogeHBtX2xv YWRfaW1hZ2UgKHN0cnVjdCBmcmFtZSAqZiwKICAgICAgICAgICAgICAgICBzdHJ1Y3QgaW1hZ2Ug KmltZywKQEAgLTYzMTEsMTAgKzYzMzIsMTQgQEAgI2RlZmluZSBleHBlY3RfaWRlbnQoSURFTlQp CQkJCQlcCiAgICAgZ290byBmYWlsdXJlOwogICBtZW1jcHkgKGJ1ZmZlciwgYmVnLCBsZW4pOwog ICBidWZmZXJbbGVuXSA9ICdcMCc7Ci0gIGlmIChzc2NhbmYgKGJ1ZmZlciwgIiVkICVkICVkICVk IiwgJndpZHRoLCAmaGVpZ2h0LAotCSAgICAgICZudW1fY29sb3JzLCAmY2hhcnNfcGVyX3BpeGVs KSAhPSA0Ci0gICAgICB8fCB3aWR0aCA8PSAwIHx8IGhlaWdodCA8PSAwCi0gICAgICB8fCBudW1f Y29sb3JzIDw9IDAgfHwgY2hhcnNfcGVyX3BpeGVsIDw9IDApCisgIGNoYXIgKm5leHRfaW50ID0g YnVmZmVyOworICBpZiAoKHdpZHRoID0geHBtX3N0cl90b19pbnQgKCZuZXh0X2ludCkpIDw9IDAp CisgICAgZ290byBmYWlsdXJlOworICBpZiAoKGhlaWdodCA9IHhwbV9zdHJfdG9faW50ICgmbmV4 dF9pbnQpKSA8PSAwKQorICAgIGdvdG8gZmFpbHVyZTsKKyAgaWYgKChudW1fY29sb3JzID0geHBt X3N0cl90b19pbnQgKCZuZXh0X2ludCkpIDw9IDApCisgICAgZ290byBmYWlsdXJlOworICBpZiAo KGNoYXJzX3Blcl9waXhlbCA9IHhwbV9zdHJfdG9faW50ICgmbmV4dF9pbnQpKSA8PSAwKQogICAg IGdvdG8gZmFpbHVyZTsKIAogICBpZiAoIWNoZWNrX2ltYWdlX3NpemUgKGYsIHdpZHRoLCBoZWln aHQpKQotLSAKMi40NS4yCgo= --000000000000dc8d66061dd7f938--
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.
Received: (at 72245) by debbugs.gnu.org; 22 Jul 2024 15:39:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 22 11:39:45 2024
Received: from localhost ([127.0.0.1]:58466 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1sVv8b-0005uu-4y
for submit <at> debbugs.gnu.org; Mon, 22 Jul 2024 11:39:45 -0400
Received: from mail.cs.ucla.edu ([131.179.128.66]:59820)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <eggert@HIDDEN>) id 1sVv8X-0005ug-G8
for 72245 <at> debbugs.gnu.org; Mon, 22 Jul 2024 11:39:43 -0400
Received: from localhost (localhost [127.0.0.1])
by mail.cs.ucla.edu (Postfix) with ESMTP id B8A883C00E400;
Mon, 22 Jul 2024 08:39:32 -0700 (PDT)
Received: from mail.cs.ucla.edu ([127.0.0.1])
by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP
id FzUzR7VXEAvU; Mon, 22 Jul 2024 08:39:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mail.cs.ucla.edu (Postfix) with ESMTP id 7C0053C00E40C;
Mon, 22 Jul 2024 08:39:32 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 7C0053C00E40C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu;
s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1721662772;
bh=IKn5t3NVGfk5DvQsFe93n+TBDWAMOEwW8sRJwPbizBk=;
h=Message-ID:Date:MIME-Version:To:From;
b=ivt0tXXxBON+XgHW7RhZFOagbSAPvrLiqOvGZeA7zjnkJBcDiDTYiUtrHWsax0yIT
5WpdTiVbmaGMViLIgZA8ApcI+KQqSpCAfOrN+VLsMBluDYwDqE1F/J+2yqxlulN8uM
iDz/uHWIkzn1M+oE3nIXvt2wL8DWLXZzixXdON0orWrDSewHEDaW8Q08XPxfayfF+1
COU2Z2vFTsoClHMyt0Nuj4enyFk0gCMeqFyrZ9WYPNuAYh74lkQt9XOXzUPtnCHhyj
KC03yWgOMqFaFPEnoJjL04xcJwQdZmXzJil7/vaJ8SXO6ATufwt1XUXyuKXmYrRqEU
tVr8E2hzGvTTw==
X-Virus-Scanned: amavis at mail.cs.ucla.edu
Received: from mail.cs.ucla.edu ([127.0.0.1])
by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP
id A3FYMrKUiaAM; Mon, 22 Jul 2024 08:39:32 -0700 (PDT)
Received: from [192.168.254.12] (unknown [47.154.17.165])
by mail.cs.ucla.edu (Postfix) with ESMTPSA id 592FD3C00E400;
Mon, 22 Jul 2024 08:39:32 -0700 (PDT)
Message-ID: <def89214-f8e0-47ae-9d12-ca8c58590f8d@HIDDEN>
Date: Mon, 22 Jul 2024 08:39:32 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM
To: Eli Zaretskii <eliz@HIDDEN>, Stefan Kangas <stefankangas@HIDDEN>
References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN>
<86ttgha2sd.fsf@HIDDEN>
Content-Language: en-US
From: Paul Eggert <eggert@HIDDEN>
Organization: UCLA Computer Science Department
In-Reply-To: <86ttgha2sd.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 72245
Cc: 72245 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
On 2024-07-22 08:01, Eli Zaretskii wrote:
> + if (p == *buf || errno == ERANGE || errno == EINVAL
This should be:
if (errno || p == *buf
as other errors are possible at least in theory, and p might be
uninitialized on error.
>> + return (int)result;
As a style matter this cast does more harm than good, as it will
suppress a static check if 'result' happens to be a pointer type, and it
could suppress a dynamic check on some debugging-oriented systems. I
would say just 'return result;'.
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.
Received: (at 72245) by debbugs.gnu.org; 22 Jul 2024 15:02:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 22 11:02:10 2024
Received: from localhost ([127.0.0.1]:58438 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1sVuYE-0004sT-HS
for submit <at> debbugs.gnu.org; Mon, 22 Jul 2024 11:02:10 -0400
Received: from eggs.gnu.org ([209.51.188.92]:39768)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <eliz@HIDDEN>) id 1sVuYC-0004sF-NC
for 72245 <at> debbugs.gnu.org; Mon, 22 Jul 2024 11:02:09 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
id 1sVuY2-0003Lv-Gt; Mon, 22 Jul 2024 11:01:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
mime-version; bh=IiCtJF7vJDIn4td2eENoEbnqkX3QCNBYgp196WXUQWk=; b=A3ewfnUNSgkQ
7DDVJ4OpmyJK+JvEBexHze27mENOiJvc3ffvzAXRb9bWRqp8Dd+1HiDZOVcltzW6WPsDLXY4cpDUG
z3Y47yaGzAdbaGYEn+jYXtTjnCT8ax2Xd1F2EiRTXc0NgidjR/QL+RWrZ0FT+rbrv7OPOxRnEUIdb
2r2wrS4kHEwh7ajxuYty1SdxPcCnJhyj+fKq9H7j0bNnE2lsjQLjwTjWuFOkeqRh1YJ38zJ9Iii5f
bqyYzLEeTfC7Dmgn1lwuLk6Ky3ZwXaqb5U4sazGVB5KGv4cWVtvcuAONbwBpfHfaglyRZfI7dlLmi
t3d4fLb+TgfAxIX0o+EqTQ==;
Date: Mon, 22 Jul 2024 18:01:54 +0300
Message-Id: <86ttgha2sd.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>,
Paul Eggert <eggert@HIDDEN>
In-Reply-To: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN>
(message from Stefan Kangas on Mon, 22 Jul 2024 07:35:55 -0700)
Subject: Re: bug#72245: [PATCH] Fix integer overflow when reading XPM
References: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 72245
Cc: 72245 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
> From: Stefan Kangas <stefankangas@HIDDEN>
> Date: Mon, 22 Jul 2024 07:35:55 -0700
>
> Since XPM files are untrusted input, I think we'd better handle integer
> overflow when parsing it, in case the file is malformed.
>
> Proposed patch attached.
Thanks.
Paul, any comments or suggestions?
> From 2aa0e1ac9705201939b30a8ca39b3354cbd62a8e Mon Sep 17 00:00:00 2001
> From: Stefan Kangas <stefankangas@HIDDEN>
> Date: Mon, 22 Jul 2024 16:00:30 +0200
> Subject: [PATCH] Fix integer overflow when reading XPM
>
> * src/image.c (xpm_str_to_int): New function.
> (xpm_load_image): Avoid integer overflow when reading XPM by replacing
> sscanf with strtol, to correctly handle integer overflow when reading a
> malformed XPM file.
> ---
> src/image.c | 34 ++++++++++++++++++++++++++++++----
> 1 file changed, 30 insertions(+), 4 deletions(-)
>
> diff --git a/src/image.c b/src/image.c
> index 90e6312e128..d8a8dc57ea9 100644
> --- a/src/image.c
> +++ b/src/image.c
> @@ -19,6 +19,7 @@ Copyright (C) 1989-2024 Free Software Foundation, Inc.
>
> #include <config.h>
>
> +#include <errno.h>
> #include <fcntl.h>
> #include <math.h>
> #include <unistd.h>
> @@ -6254,6 +6255,27 @@ xpm_str_to_color_key (const char *s)
> return -1;
> }
>
> +static int
> +xpm_str_to_int (char **buf)
> +{
> + char *p;
> +
> + errno = 0;
> + long result = strtol (*buf, &p, 10);
> + if (p == *buf || errno == ERANGE || errno == EINVAL
> + || result < INT_MIN || result > INT_MAX)
> + return -1;
> +
> + /* Error out if we see something like "12x3xyz". */
> + if (!c_isspace (*p) && *p != '\0')
> + return -1;
> +
> + /* Update position to read next integer. */
> + *buf = p;
> +
> + return (int)result;
> +}
> +
> static bool
> xpm_load_image (struct frame *f,
> struct image *img,
> @@ -6311,10 +6333,14 @@ #define expect_ident(IDENT) \
> goto failure;
> memcpy (buffer, beg, len);
> buffer[len] = '\0';
> - if (sscanf (buffer, "%d %d %d %d", &width, &height,
> - &num_colors, &chars_per_pixel) != 4
> - || width <= 0 || height <= 0
> - || num_colors <= 0 || chars_per_pixel <= 0)
> + char *next_int = buffer;
> + if ((width = xpm_str_to_int (&next_int)) <= 0)
> + goto failure;
> + if ((height = xpm_str_to_int (&next_int)) <= 0)
> + goto failure;
> + if ((num_colors = xpm_str_to_int (&next_int)) <= 0)
> + goto failure;
> + if ((chars_per_pixel = xpm_str_to_int (&next_int)) <= 0)
> goto failure;
>
> if (!check_image_size (f, width, height))
> --
> 2.45.2
>
bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.Received: (at submit) by debbugs.gnu.org; 22 Jul 2024 14:36:08 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 22 10:36:08 2024 Received: from localhost ([127.0.0.1]:58411 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sVu92-0004DZ-CK for submit <at> debbugs.gnu.org; Mon, 22 Jul 2024 10:36:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:57248) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1sVu8y-0004DQ-9M for submit <at> debbugs.gnu.org; Mon, 22 Jul 2024 10:36:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <stefankangas@HIDDEN>) id 1sVu8u-0000Vd-Rw for bug-gnu-emacs@HIDDEN; Mon, 22 Jul 2024 10:36:00 -0400 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <stefankangas@HIDDEN>) id 1sVu8t-0006f3-8P for bug-gnu-emacs@HIDDEN; Mon, 22 Jul 2024 10:36:00 -0400 Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-5a3458bf7cfso3420430a12.0 for <bug-gnu-emacs@HIDDEN>; Mon, 22 Jul 2024 07:35:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721658957; x=1722263757; darn=gnu.org; h=to:subject:message-id:date:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=vt7f2zlm5wdU5x1ThnpEm3mHs9s81i2WrRhOaQAczRQ=; b=ciCuQj2DPfIMibZysWbtnK0yWFYS9vmp1Pxd/ThEmNBazUcd3fJybeZcNEFExRt2+8 WUFabQLXCM/bHlZ+7IebEw+m+Iutp//ZsRvcqAWHNmVuoTgwWtAx55z+eyd7YDF01jth 21CWUUKvSp84osI/iAfUiM4L53Dyy67F5loqSxnN4/sTlhqePb6ylYhMBYHuCbgXFsIb jH9gVK/YKfWrjyRMaILgkBiwfU4xeQB8h2JfiGtPZH1K2S2FigFzLg/YEVdufzre+AfW mO43QuI6SltKh8aBcFhoRHS/ccBwRbpIVQeCiWRtxSwmo17wB4tbr6dSAuvQ7GGRc158 5n6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721658957; x=1722263757; h=to:subject:message-id:date:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=vt7f2zlm5wdU5x1ThnpEm3mHs9s81i2WrRhOaQAczRQ=; b=g+OBlTPHnJLx8goUao5fijwBnb+6T0SvKg7uZUhK8FtPcgUO3dbT3IvDAYIO8q3ON6 +Nfy+Op9Fh2zAsj9ViF6Av/PfsrDrpieApRPLEoEGuRxtiRJFAfJMuV0Y/5aLN/r0lMc 2IONK347oja6yfc5yEYUUF92XbR/HFK8UM5FiE+qTWwY/+XLz5qeGJUbtxm6wfZfSiCV xBlCnRzheGC8YzvPArbcd2zh8j9Hw9y5BuQhm7Nk8rYU0vmsBFSx0/Yr4D0GBFafa6yy XcYQZQrheDFC9d/BApb2zDkFRFlltiXdnkHHf8h3/Nx97odblCUI3HuTZjTJqC2Qxnzk +jjw== X-Gm-Message-State: AOJu0Yy8judmzBX54d7K4PyTODJYqxS0wFw6s2a08R3eN1ta9mu2AmDn 0g7w26srER8twD9Fc/gwBjLNF371NdtkrGedTwV/leyYzZIAUR8/iIw26TQC79DDG8xvHsobvTx 0kH2xl0n4IXEafIk8yhawDyi5LTF5jsZC X-Google-Smtp-Source: AGHT+IE+vYqkL6ojxmBsuyaTr8clfXhoEhEsiV+qtK+5lIIeq3Eightep224G/QhmI28uE4OyNGNhvGJ8ZeEWhBima0= X-Received: by 2002:a05:6402:510f:b0:5a2:68a2:ae57 with SMTP id 4fb4d7f45d1cf-5a47bb9258dmr5085950a12.31.1721658956976; Mon, 22 Jul 2024 07:35:56 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 22 Jul 2024 07:35:55 -0700 From: Stefan Kangas <stefankangas@HIDDEN> MIME-Version: 1.0 Date: Mon, 22 Jul 2024 07:35:55 -0700 Message-ID: <CADwFkmmJBqJ7JcgcPrRkEaWhGd6GCnF2OdJ5aCVxQe_7zTt6Zw@HIDDEN> Subject: [PATCH] Fix integer overflow when reading XPM To: bug-gnu-emacs@HIDDEN Content-Type: multipart/mixed; boundary="0000000000008e2af5061dd6f641" Received-SPF: pass client-ip=2a00:1450:4864:20::529; envelope-from=stefankangas@HIDDEN; helo=mail-ed1-x529.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --0000000000008e2af5061dd6f641 Content-Type: text/plain; charset="UTF-8" Severity: minor Since XPM files are untrusted input, I think we'd better handle integer overflow when parsing it, in case the file is malformed. Proposed patch attached. --0000000000008e2af5061dd6f641 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Fix-integer-overflow-when-reading-XPM.patch" Content-Disposition: attachment; filename="0001-Fix-integer-overflow-when-reading-XPM.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: e64cc34798664c06_0.1 RnJvbSAyYWEwZTFhYzk3MDUyMDE5MzliMzBhOGNhMzliMzM1NGNiZDYyYThlIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t PgpEYXRlOiBNb24sIDIyIEp1bCAyMDI0IDE2OjAwOjMwICswMjAwClN1YmplY3Q6IFtQQVRDSF0g Rml4IGludGVnZXIgb3ZlcmZsb3cgd2hlbiByZWFkaW5nIFhQTQoKKiBzcmMvaW1hZ2UuYyAoeHBt X3N0cl90b19pbnQpOiBOZXcgZnVuY3Rpb24uCih4cG1fbG9hZF9pbWFnZSk6IEF2b2lkIGludGVn ZXIgb3ZlcmZsb3cgd2hlbiByZWFkaW5nIFhQTSBieSByZXBsYWNpbmcKc3NjYW5mIHdpdGggc3Ry dG9sLCB0byBjb3JyZWN0bHkgaGFuZGxlIGludGVnZXIgb3ZlcmZsb3cgd2hlbiByZWFkaW5nIGEK bWFsZm9ybWVkIFhQTSBmaWxlLgotLS0KIHNyYy9pbWFnZS5jIHwgMzQgKysrKysrKysrKysrKysr KysrKysrKysrKysrKysrLS0tLQogMSBmaWxlIGNoYW5nZWQsIDMwIGluc2VydGlvbnMoKyksIDQg ZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvc3JjL2ltYWdlLmMgYi9zcmMvaW1hZ2UuYwppbmRl eCA5MGU2MzEyZTEyOC4uZDhhOGRjNTdlYTkgMTAwNjQ0Ci0tLSBhL3NyYy9pbWFnZS5jCisrKyBi L3NyYy9pbWFnZS5jCkBAIC0xOSw2ICsxOSw3IEBAIENvcHlyaWdodCAoQykgMTk4OS0yMDI0IEZy ZWUgU29mdHdhcmUgRm91bmRhdGlvbiwgSW5jLgogCiAjaW5jbHVkZSA8Y29uZmlnLmg+CiAKKyNp bmNsdWRlIDxlcnJuby5oPgogI2luY2x1ZGUgPGZjbnRsLmg+CiAjaW5jbHVkZSA8bWF0aC5oPgog I2luY2x1ZGUgPHVuaXN0ZC5oPgpAQCAtNjI1NCw2ICs2MjU1LDI3IEBAIHhwbV9zdHJfdG9fY29s b3Jfa2V5IChjb25zdCBjaGFyICpzKQogICByZXR1cm4gLTE7CiB9CiAKK3N0YXRpYyBpbnQKK3hw bV9zdHJfdG9faW50IChjaGFyICoqYnVmKQoreworICBjaGFyICpwOworCisgIGVycm5vID0gMDsK KyAgbG9uZyByZXN1bHQgPSBzdHJ0b2wgKCpidWYsICZwLCAxMCk7CisgIGlmIChwID09ICpidWYg fHwgZXJybm8gPT0gRVJBTkdFIHx8IGVycm5vID09IEVJTlZBTAorICAgICAgfHwgcmVzdWx0IDwg SU5UX01JTiB8fCByZXN1bHQgPiBJTlRfTUFYKQorICAgIHJldHVybiAtMTsKKworICAvKiBFcnJv ciBvdXQgaWYgd2Ugc2VlIHNvbWV0aGluZyBsaWtlICIxMngzeHl6Ii4gICovCisgIGlmICghY19p c3NwYWNlICgqcCkgJiYgKnAgIT0gJ1wwJykKKyAgICByZXR1cm4gLTE7CisKKyAgLyogVXBkYXRl IHBvc2l0aW9uIHRvIHJlYWQgbmV4dCBpbnRlZ2VyLiAgKi8KKyAgKmJ1ZiA9IHA7CisKKyAgcmV0 dXJuIChpbnQpcmVzdWx0OworfQorCiBzdGF0aWMgYm9vbAogeHBtX2xvYWRfaW1hZ2UgKHN0cnVj dCBmcmFtZSAqZiwKICAgICAgICAgICAgICAgICBzdHJ1Y3QgaW1hZ2UgKmltZywKQEAgLTYzMTEs MTAgKzYzMzMsMTQgQEAgI2RlZmluZSBleHBlY3RfaWRlbnQoSURFTlQpCQkJCQlcCiAgICAgZ290 byBmYWlsdXJlOwogICBtZW1jcHkgKGJ1ZmZlciwgYmVnLCBsZW4pOwogICBidWZmZXJbbGVuXSA9 ICdcMCc7Ci0gIGlmIChzc2NhbmYgKGJ1ZmZlciwgIiVkICVkICVkICVkIiwgJndpZHRoLCAmaGVp Z2h0LAotCSAgICAgICZudW1fY29sb3JzLCAmY2hhcnNfcGVyX3BpeGVsKSAhPSA0Ci0gICAgICB8 fCB3aWR0aCA8PSAwIHx8IGhlaWdodCA8PSAwCi0gICAgICB8fCBudW1fY29sb3JzIDw9IDAgfHwg Y2hhcnNfcGVyX3BpeGVsIDw9IDApCisgIGNoYXIgKm5leHRfaW50ID0gYnVmZmVyOworICBpZiAo KHdpZHRoID0geHBtX3N0cl90b19pbnQgKCZuZXh0X2ludCkpIDw9IDApCisgICAgZ290byBmYWls dXJlOworICBpZiAoKGhlaWdodCA9IHhwbV9zdHJfdG9faW50ICgmbmV4dF9pbnQpKSA8PSAwKQor ICAgIGdvdG8gZmFpbHVyZTsKKyAgaWYgKChudW1fY29sb3JzID0geHBtX3N0cl90b19pbnQgKCZu ZXh0X2ludCkpIDw9IDApCisgICAgZ290byBmYWlsdXJlOworICBpZiAoKGNoYXJzX3Blcl9waXhl bCA9IHhwbV9zdHJfdG9faW50ICgmbmV4dF9pbnQpKSA8PSAwKQogICAgIGdvdG8gZmFpbHVyZTsK IAogICBpZiAoIWNoZWNrX2ltYWdlX3NpemUgKGYsIHdpZHRoLCBoZWlnaHQpKQotLSAKMi40NS4y Cgo= --0000000000008e2af5061dd6f641--
Stefan Kangas <stefankangas@HIDDEN>:bug-gnu-emacs@HIDDEN.
Full text available.bug-gnu-emacs@HIDDEN:bug#72245; Package emacs.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.