From a23cbf1d8a1e2509de937e873d0d45d2122dc0ff Mon Sep 17 00:00:00 2001
From: Rob Browning <rlb@defaultvalue.org>
Date: Sun, 10 Oct 2010 20:56:54 -0500
Subject: [PATCH] Prevent string and unibyte-string from overflowing the stack.

---
 debian/changelog                              |  12 ++
 ...prevent-let-eval-apply-stack-overflow.diff | 141 ++++++++++++++++++
 .../prevent-string-stack-overflow.diff        |  90 +++++++++++
 debian/patches/series                         |   3 +
 ...a-lisp-in-let-eval-apply-apply_lambda.diff |  82 ++++++++++
 5 files changed, 328 insertions(+)
 create mode 100644 debian/patches/prevent-let-eval-apply-stack-overflow.diff
 create mode 100644 debian/patches/prevent-string-stack-overflow.diff
 create mode 100644 debian/patches/use-safe-alloca-lisp-in-let-eval-apply-apply_lambda.diff

diff --git a/debian/changelog b/debian/changelog
index 22a0260472d..c8176fa4d08 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+emacs23 (23.2+1-5) unstable; urgency=low
+
+  * Apply upstream patches to prevent the string and unibyte-string
+    functions from overflowing the stack
+    (prevent-string-stack-overflow.diff,
+    prevent-let-eval-apply-stack-overflow.diff, and
+    use-safe-alloca-lisp-in-let-eval-apply-apply_lambda.diff).  Thanks
+    to Carl Worth <cworth@debian.org> and Sven Joachim
+    <svenjoac@gmx.de> for finding the patches (closes: #586459).
+
+ -- Rob Browning <rlb@defaultvalue.org>  Sun, 17 Oct 2010 23:53:54 -0500
+
 emacs23 (23.2+1-4) unstable; urgency=low
 
   * Disable parallel builds (via DEB_BUILD_OPTIONS=parallel) until an
diff --git a/debian/patches/prevent-let-eval-apply-stack-overflow.diff b/debian/patches/prevent-let-eval-apply-stack-overflow.diff
new file mode 100644
index 00000000000..cb55d0510d0
--- /dev/null
+++ b/debian/patches/prevent-let-eval-apply-stack-overflow.diff
@@ -0,0 +1,141 @@
+* A potential stack overflow should be fixed in let, eval, and apply.
+  Patch: prevent-let-eval-apply-stack-overflow.diff
+  Provided-by: Sven Joachim <svenjoac@gmx.de>
+  Date: Thu, 19 Aug 2010 21:24:11 +0200
+  Added-by: Rob Browning <rlb@defaultvalue.org>
+  Status: incorporated upstream
+
+  The Debian patch is taken from this upstream commit:
+
+  revno: 99982
+  committer: Chong Yidong <cyd@stupidchicken.com>
+  branch nick: emacs-23
+  timestamp: Tue 2010-08-17 12:34:28 -0400
+  message:
+    Avoid stack overflow in let, eval, and apply (Bug#6214).
+
+    * eval.c (Flet, Feval, Fapply, apply_lambda): Use SAFE_ALLOCA (Bug#6214).
+
+--- a/src/ChangeLog
++++ b/src/ChangeLog
+@@ -1,3 +1,8 @@
++2010-08-17  Chong Yidong  <cyd@stupidchicken.com>
++
++       * eval.c (Flet, Feval, Fapply, apply_lambda): Use SAFE_ALLOCA
++       (Bug#6214).
++
+ 2010-05-18  Chong Yidong  <cyd@stupidchicken.com>
+ 
+ 	* character.c (Fstring, Funibyte_string): Use SAFE_ALLOCA to
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -1028,12 +1028,13 @@
+   int count = SPECPDL_INDEX ();
+   register int argnum;
+   struct gcpro gcpro1, gcpro2;
++  USE_SAFE_ALLOCA;
+ 
+   varlist = Fcar (args);
+ 
+   /* Make space to hold the values to give the bound variables */
+   elt = Flength (varlist);
+-  temps = (Lisp_Object *) alloca (XFASTINT (elt) * sizeof (Lisp_Object));
++  SAFE_ALLOCA (temps, Lisp_Object *, XFASTINT (elt) * sizeof (Lisp_Object));
+ 
+   /* Compute the values and store them in `temps' */
+ 
+@@ -1066,6 +1067,7 @@
+     }
+ 
+   elt = Fprogn (Fcdr (args));
++  SAFE_FREE ();
+   return unbind_to (count, elt);
+ }
+ 
+@@ -2299,8 +2301,10 @@
+ 	  /* Pass a vector of evaluated arguments */
+ 	  Lisp_Object *vals;
+ 	  register int argnum = 0;
++	  USE_SAFE_ALLOCA;
+ 
+-	  vals = (Lisp_Object *) alloca (XINT (numargs) * sizeof (Lisp_Object));
++	  SAFE_ALLOCA (vals, Lisp_Object *,
++		       XINT (numargs) * sizeof (Lisp_Object));
+ 
+ 	  GCPRO3 (args_left, fun, fun);
+ 	  gcpro3.var = vals;
+@@ -2318,6 +2322,7 @@
+ 
+ 	  val = (*XSUBR (fun)->function) (XINT (numargs), vals);
+ 	  UNGCPRO;
++	  SAFE_FREE ();
+ 	  goto done;
+ 	}
+ 
+@@ -2430,8 +2435,9 @@
+   register int i, numargs;
+   register Lisp_Object spread_arg;
+   register Lisp_Object *funcall_args;
+-  Lisp_Object fun;
++  Lisp_Object fun, retval;
+   struct gcpro gcpro1;
++  USE_SAFE_ALLOCA;
+ 
+   fun = args [0];
+   funcall_args = 0;
+@@ -2470,8 +2476,8 @@
+ 	{
+ 	  /* Avoid making funcall cons up a yet another new vector of arguments
+ 	     by explicitly supplying nil's for optional values */
+-	  funcall_args = (Lisp_Object *) alloca ((1 + XSUBR (fun)->max_args)
+-						 * sizeof (Lisp_Object));
++	  SAFE_ALLOCA (funcall_args, Lisp_Object *,
++		       (1 + XSUBR (fun)->max_args) * sizeof (Lisp_Object));
+ 	  for (i = numargs; i < XSUBR (fun)->max_args;)
+ 	    funcall_args[++i] = Qnil;
+ 	  GCPRO1 (*funcall_args);
+@@ -2483,8 +2489,8 @@
+      function itself as well as its arguments.  */
+   if (!funcall_args)
+     {
+-      funcall_args = (Lisp_Object *) alloca ((1 + numargs)
+-					     * sizeof (Lisp_Object));
++      SAFE_ALLOCA (funcall_args, Lisp_Object *,
++		   (1 + numargs) * sizeof (Lisp_Object));
+       GCPRO1 (*funcall_args);
+       gcpro1.nvars = 1 + numargs;
+     }
+@@ -2500,7 +2506,11 @@
+     }
+ 
+   /* By convention, the caller needs to gcpro Ffuncall's args.  */
+-  RETURN_UNGCPRO (Ffuncall (gcpro1.nvars, funcall_args));
++  retval = Ffuncall (gcpro1.nvars, funcall_args);
++  UNGCPRO;
++  SAFE_FREE ();
++
++  return retval;
+ }
+ 
+ /* Run hook variables in various ways.  */
+@@ -3108,9 +3118,11 @@
+   struct gcpro gcpro1, gcpro2, gcpro3;
+   register int i;
+   register Lisp_Object tem;
++  USE_SAFE_ALLOCA;
+ 
+   numargs = Flength (args);
+-  arg_vector = (Lisp_Object *) alloca (XINT (numargs) * sizeof (Lisp_Object));
++  SAFE_ALLOCA (arg_vector, Lisp_Object *,
++	       XINT (numargs) * sizeof (Lisp_Object));
+   args_left = args;
+ 
+   GCPRO3 (*arg_vector, args_left, fun);
+@@ -3139,6 +3151,7 @@
+     tem = call_debugger (Fcons (Qexit, Fcons (tem, Qnil)));
+   /* Don't do it again when we return to eval.  */
+   backtrace_list->debug_on_exit = 0;
++  SAFE_FREE ();
+   return tem;
+ }
+ 
diff --git a/debian/patches/prevent-string-stack-overflow.diff b/debian/patches/prevent-string-stack-overflow.diff
new file mode 100644
index 00000000000..f37b4bf343d
--- /dev/null
+++ b/debian/patches/prevent-string-stack-overflow.diff
@@ -0,0 +1,90 @@
+* The string and unibyte-string functions should no longer overflow the stack.
+  Patch: prevent-string-stack-overflow.diff
+  Provided-by: Carl Worth <cworth@debian.org>
+  Date: Sat, 19 Jun 2010 11:12:06 -0700
+  Added-by: Rob Browning <rlb@defaultvalue.org>
+  Status: incorporated upstream
+
+  The Debian patch is taken from this upstream commit:
+
+    revno: 99634.2.173
+    committer: Chong Yidong <cyd@stupidchicken.com>
+    branch nick: emacs-23
+    timestamp: Tue 2010-05-18 14:01:10 -0400
+    message:
+      * character.c (Fstring, Funibyte_string): Use SAFE_ALLOCA to
+      prevent stack overflow if number of arguments is too large
+      (Bug#6214).
+
+--- a/src/ChangeLog
++++ b/src/ChangeLog
+@@ -1,3 +1,9 @@
++2010-05-18  Chong Yidong  <cyd@stupidchicken.com>
++
++	* character.c (Fstring, Funibyte_string): Use SAFE_ALLOCA to
++	prevent stack overflow if number of arguments is too large
++	(Bug#6214).
++
+ 2010-05-07  Chong Yidong  <cyd@stupidchicken.com>
+ 
+ 	* Version 23.2 released.
+--- a/src/character.c
++++ b/src/character.c
+@@ -961,10 +961,13 @@
+      int n;
+      Lisp_Object *args;
+ {
+-  int i;
+-  unsigned char *buf = (unsigned char *) alloca (MAX_MULTIBYTE_LENGTH * n);
+-  unsigned char *p = buf;
+-  int c;
++  int i, c;
++  unsigned char *buf, *p;
++  Lisp_Object str;
++  USE_SAFE_ALLOCA;
++
++  SAFE_ALLOCA (buf, unsigned char *, MAX_MULTIBYTE_LENGTH * n);
++  p = buf;
+ 
+   for (i = 0; i < n; i++)
+     {
+@@ -973,7 +976,9 @@
+       p += CHAR_STRING (c, p);
+     }
+ 
+-  return make_string_from_bytes ((char *) buf, n, p - buf);
++  str = make_string_from_bytes ((char *) buf, n, p - buf);
++  SAFE_FREE ();
++  return str;
+ }
+ 
+ DEFUN ("unibyte-string", Funibyte_string, Sunibyte_string, 0, MANY, 0,
+@@ -983,10 +988,13 @@
+      int n;
+      Lisp_Object *args;
+ {
+-  int i;
+-  unsigned char *buf = (unsigned char *) alloca (n);
+-  unsigned char *p = buf;
+-  unsigned c;
++  int i, c;
++  unsigned char *buf, *p;
++  Lisp_Object str;
++  USE_SAFE_ALLOCA;
++
++  SAFE_ALLOCA (buf, unsigned char *, n);
++  p = buf;
+ 
+   for (i = 0; i < n; i++)
+     {
+@@ -997,7 +1005,9 @@
+       *p++ = c;
+     }
+ 
+-  return make_string_from_bytes ((char *) buf, n, p - buf);
++  str = make_string_from_bytes ((char *) buf, n, p - buf);
++  SAFE_FREE ();
++  return str;
+ }
+ 
+ DEFUN ("char-resolve-modifiers", Fchar_resolve_modifiers,
diff --git a/debian/patches/series b/debian/patches/series
index e8a55fbcff6..13bb896f75e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,6 @@ look-for-news-to-find-etc.diff
 fix-flymake-xmlstarlet-invocation.diff
 add-unix-to-cpp-undefs.diff
 fix-gnu-kfreebsd-startup.diff
+prevent-string-stack-overflow.diff
+prevent-let-eval-apply-stack-overflow.diff
+use-safe-alloca-lisp-in-let-eval-apply-apply_lambda.diff
diff --git a/debian/patches/use-safe-alloca-lisp-in-let-eval-apply-apply_lambda.diff b/debian/patches/use-safe-alloca-lisp-in-let-eval-apply-apply_lambda.diff
new file mode 100644
index 00000000000..33a58e6b1c1
--- /dev/null
+++ b/debian/patches/use-safe-alloca-lisp-in-let-eval-apply-apply_lambda.diff
@@ -0,0 +1,82 @@
+* An allocation problem has been fixed in let, eval, apply, and apply_lambda.
+  Patch: use-safe-alloca-lisp-in-let-eval-apply-apply_lambda.diff
+  Provided-by: Sven Joachim <svenjoac@gmx.de>
+  Date: Thu, 19 Aug 2010 21:24:11 +0200
+  Added-by: Rob Browning <rlb@defaultvalue.org>
+  Status: incorporated upstream
+
+  Previously, the content of the relevant items was invisible to the
+  garbage collector.
+
+  The Debian patch is taken from this upstream commit:
+
+  revno: 99983
+  committer: Andreas Schwab <schwab@linux-m68k.org>
+  branch nick: emacs
+  timestamp: Tue 2010-08-17 23:07:50 +0200
+  message:
+    * eval.c (Flet, Feval, Fapply, apply_lambda): Use SAFE_ALLOCA_LISP
+    instead of SAFE_ALLOCA.
+
+--- a/src/ChangeLog
++++ b/src/ChangeLog
+@@ -1,3 +1,8 @@
++2010-08-17  Andreas Schwab  <schwab@linux-m68k.org>
++
++	* eval.c (Flet, Feval, Fapply, apply_lambda): Use SAFE_ALLOCA_LISP
++	instead of SAFE_ALLOCA.
++
+ 2010-08-17  Chong Yidong  <cyd@stupidchicken.com>
+ 
+        * eval.c (Flet, Feval, Fapply, apply_lambda): Use SAFE_ALLOCA
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -1034,7 +1034,7 @@
+ 
+   /* Make space to hold the values to give the bound variables */
+   elt = Flength (varlist);
+-  SAFE_ALLOCA (temps, Lisp_Object *, XFASTINT (elt) * sizeof (Lisp_Object));
++  SAFE_ALLOCA_LISP (temps, XFASTINT (elt));
+ 
+   /* Compute the values and store them in `temps' */
+ 
+@@ -2303,8 +2303,7 @@
+ 	  register int argnum = 0;
+ 	  USE_SAFE_ALLOCA;
+ 
+-	  SAFE_ALLOCA (vals, Lisp_Object *,
+-		       XINT (numargs) * sizeof (Lisp_Object));
++	  SAFE_ALLOCA_LISP (vals, XINT (numargs));
+ 
+ 	  GCPRO3 (args_left, fun, fun);
+ 	  gcpro3.var = vals;
+@@ -2476,8 +2475,7 @@
+ 	{
+ 	  /* Avoid making funcall cons up a yet another new vector of arguments
+ 	     by explicitly supplying nil's for optional values */
+-	  SAFE_ALLOCA (funcall_args, Lisp_Object *,
+-		       (1 + XSUBR (fun)->max_args) * sizeof (Lisp_Object));
++	  SAFE_ALLOCA_LISP (funcall_args, 1 + XSUBR (fun)->max_args);
+ 	  for (i = numargs; i < XSUBR (fun)->max_args;)
+ 	    funcall_args[++i] = Qnil;
+ 	  GCPRO1 (*funcall_args);
+@@ -2489,8 +2487,7 @@
+      function itself as well as its arguments.  */
+   if (!funcall_args)
+     {
+-      SAFE_ALLOCA (funcall_args, Lisp_Object *,
+-		   (1 + numargs) * sizeof (Lisp_Object));
++      SAFE_ALLOCA_LISP (funcall_args, 1 + numargs);
+       GCPRO1 (*funcall_args);
+       gcpro1.nvars = 1 + numargs;
+     }
+@@ -3121,8 +3118,7 @@
+   USE_SAFE_ALLOCA;
+ 
+   numargs = Flength (args);
+-  SAFE_ALLOCA (arg_vector, Lisp_Object *,
+-	       XINT (numargs) * sizeof (Lisp_Object));
++  SAFE_ALLOCA_LISP (arg_vector, XINT (numargs));
+   args_left = args;
+ 
+   GCPRO3 (*arg_vector, args_left, fun);
-- 
2.30.2