diff options
| author | Paul Eggert | 2011-06-22 22:41:40 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-06-22 22:41:40 -0700 |
| commit | 20270765bee11c46dc5a16ccca169751ce4e89ea (patch) | |
| tree | 67032e51e849053e425e71844d6f1018cdd43ea2 | |
| parent | 437b2cb453cedf1a9033b2082879f1964c67ed23 (diff) | |
| download | emacs-20270765bee11c46dc5a16ccca169751ce4e89ea.tar.gz emacs-20270765bee11c46dc5a16ccca169751ce4e89ea.zip | |
* lread.c (read1): Check for size overflow.
| -rw-r--r-- | src/ChangeLog | 1 | ||||
| -rw-r--r-- | src/lread.c | 6 |
2 files changed, 7 insertions, 0 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index 6cf45e5d2aa..1e9cf82d1ac 100644 --- a/src/ChangeLog +++ b/src/ChangeLog | |||
| @@ -13,6 +13,7 @@ | |||
| 13 | (substitute_object_recurse, read_vector, read_list, map_obarray): | 13 | (substitute_object_recurse, read_vector, read_list, map_obarray): |
| 14 | Use ptrdiff_t, not int, for sizes. | 14 | Use ptrdiff_t, not int, for sizes. |
| 15 | (read1): Use EMACS_INT, not int, for sizes. | 15 | (read1): Use EMACS_INT, not int, for sizes. |
| 16 | Check for size overflow. | ||
| 16 | 17 | ||
| 17 | * image.c (cache_image): Check for size arithmetic overflow. | 18 | * image.c (cache_image): Check for size arithmetic overflow. |
| 18 | 19 | ||
diff --git a/src/lread.c b/src/lread.c index 18569df554b..06b957cf392 100644 --- a/src/lread.c +++ b/src/lread.c | |||
| @@ -2869,6 +2869,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list) | |||
| 2869 | if (end - p < MAX_MULTIBYTE_LENGTH) | 2869 | if (end - p < MAX_MULTIBYTE_LENGTH) |
| 2870 | { | 2870 | { |
| 2871 | ptrdiff_t offset = p - read_buffer; | 2871 | ptrdiff_t offset = p - read_buffer; |
| 2872 | if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size) | ||
| 2873 | memory_full (SIZE_MAX); | ||
| 2872 | read_buffer = (char *) xrealloc (read_buffer, | 2874 | read_buffer = (char *) xrealloc (read_buffer, |
| 2873 | read_buffer_size *= 2); | 2875 | read_buffer_size *= 2); |
| 2874 | p = read_buffer + offset; | 2876 | p = read_buffer + offset; |
| @@ -3012,6 +3014,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list) | |||
| 3012 | if (end - p < MAX_MULTIBYTE_LENGTH) | 3014 | if (end - p < MAX_MULTIBYTE_LENGTH) |
| 3013 | { | 3015 | { |
| 3014 | ptrdiff_t offset = p - read_buffer; | 3016 | ptrdiff_t offset = p - read_buffer; |
| 3017 | if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size) | ||
| 3018 | memory_full (SIZE_MAX); | ||
| 3015 | read_buffer = (char *) xrealloc (read_buffer, | 3019 | read_buffer = (char *) xrealloc (read_buffer, |
| 3016 | read_buffer_size *= 2); | 3020 | read_buffer_size *= 2); |
| 3017 | p = read_buffer + offset; | 3021 | p = read_buffer + offset; |
| @@ -3039,6 +3043,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list) | |||
| 3039 | if (p == end) | 3043 | if (p == end) |
| 3040 | { | 3044 | { |
| 3041 | ptrdiff_t offset = p - read_buffer; | 3045 | ptrdiff_t offset = p - read_buffer; |
| 3046 | if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size) | ||
| 3047 | memory_full (SIZE_MAX); | ||
| 3042 | read_buffer = (char *) xrealloc (read_buffer, | 3048 | read_buffer = (char *) xrealloc (read_buffer, |
| 3043 | read_buffer_size *= 2); | 3049 | read_buffer_size *= 2); |
| 3044 | p = read_buffer + offset; | 3050 | p = read_buffer + offset; |