diff options
| author | Paul Eggert | 2011-07-28 17:32:09 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-07-28 17:32:09 -0700 |
| commit | dbe2216bb632ae0bec0cb2c1b0e38454b9d3a753 (patch) | |
| tree | 87ef36d80ddd8b88ce4ffd1b0aeb75dd677acf48 | |
| parent | 34db673b3978bd88aea081882a70bdcdf53028a7 (diff) | |
| download | emacs-dbe2216bb632ae0bec0cb2c1b0e38454b9d3a753.tar.gz emacs-dbe2216bb632ae0bec0cb2c1b0e38454b9d3a753.zip | |
* keymap.c: Integer overflow fixes.
(cmm_size, current_minor_maps): Use ptrdiff_t, not int, to count maps.
(current_minor_maps): Check for size calculation overflow.
* keymap.h: Change prototypes to match the above.
| -rw-r--r-- | src/ChangeLog | 5 | ||||
| -rw-r--r-- | src/keymap.c | 15 | ||||
| -rw-r--r-- | src/keymap.h | 2 |
3 files changed, 17 insertions, 5 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index e42d536e6d3..f1c7f11c7f6 100644 --- a/src/ChangeLog +++ b/src/ChangeLog | |||
| @@ -1,5 +1,10 @@ | |||
| 1 | 2011-07-29 Paul Eggert <eggert@cs.ucla.edu> | 1 | 2011-07-29 Paul Eggert <eggert@cs.ucla.edu> |
| 2 | 2 | ||
| 3 | * keymap.c: Integer overflow fixes. | ||
| 4 | (cmm_size, current_minor_maps): Use ptrdiff_t, not int, to count maps. | ||
| 5 | (current_minor_maps): Check for size calculation overflow. | ||
| 6 | * keymap.h: Change prototypes to match the above. | ||
| 7 | |||
| 3 | * keyboard.c: Integer and memory overflow fixes. | 8 | * keyboard.c: Integer and memory overflow fixes. |
| 4 | (read_char, menu_bar_items, tool_bar_items, read_char_x_menu_prompt) | 9 | (read_char, menu_bar_items, tool_bar_items, read_char_x_menu_prompt) |
| 5 | (read_char_minibuf_menu_width, read_char_minibuf_menu_prompt) | 10 | (read_char_minibuf_menu_width, read_char_minibuf_menu_prompt) |
diff --git a/src/keymap.c b/src/keymap.c index 0169276bef9..c968b14d903 100644 --- a/src/keymap.c +++ b/src/keymap.c | |||
| @@ -1403,7 +1403,7 @@ silly_event_symbol_error (Lisp_Object c) | |||
| 1403 | some systems, static gets macro-defined to be the empty string. | 1403 | some systems, static gets macro-defined to be the empty string. |
| 1404 | Ickypoo. */ | 1404 | Ickypoo. */ |
| 1405 | static Lisp_Object *cmm_modes = NULL, *cmm_maps = NULL; | 1405 | static Lisp_Object *cmm_modes = NULL, *cmm_maps = NULL; |
| 1406 | static int cmm_size = 0; | 1406 | static ptrdiff_t cmm_size = 0; |
| 1407 | 1407 | ||
| 1408 | /* Store a pointer to an array of the currently active minor modes in | 1408 | /* Store a pointer to an array of the currently active minor modes in |
| 1409 | *modeptr, a pointer to an array of the keymaps of the currently | 1409 | *modeptr, a pointer to an array of the keymaps of the currently |
| @@ -1423,10 +1423,10 @@ static int cmm_size = 0; | |||
| 1423 | loop. Instead, we'll use realloc/malloc and silently truncate the | 1423 | loop. Instead, we'll use realloc/malloc and silently truncate the |
| 1424 | list, let the key sequence be read, and hope some other piece of | 1424 | list, let the key sequence be read, and hope some other piece of |
| 1425 | code signals the error. */ | 1425 | code signals the error. */ |
| 1426 | int | 1426 | ptrdiff_t |
| 1427 | current_minor_maps (Lisp_Object **modeptr, Lisp_Object **mapptr) | 1427 | current_minor_maps (Lisp_Object **modeptr, Lisp_Object **mapptr) |
| 1428 | { | 1428 | { |
| 1429 | int i = 0; | 1429 | ptrdiff_t i = 0; |
| 1430 | int list_number = 0; | 1430 | int list_number = 0; |
| 1431 | Lisp_Object alist, assoc, var, val; | 1431 | Lisp_Object alist, assoc, var, val; |
| 1432 | Lisp_Object emulation_alists; | 1432 | Lisp_Object emulation_alists; |
| @@ -1469,9 +1469,16 @@ current_minor_maps (Lisp_Object **modeptr, Lisp_Object **mapptr) | |||
| 1469 | 1469 | ||
| 1470 | if (i >= cmm_size) | 1470 | if (i >= cmm_size) |
| 1471 | { | 1471 | { |
| 1472 | int newsize, allocsize; | 1472 | ptrdiff_t newsize, allocsize; |
| 1473 | Lisp_Object *newmodes, *newmaps; | 1473 | Lisp_Object *newmodes, *newmaps; |
| 1474 | 1474 | ||
| 1475 | /* Check for size calculation overflow. Other code | ||
| 1476 | (e.g., read_key_sequence) adds 3 to the count | ||
| 1477 | later, so subtract 3 from the limit here. */ | ||
| 1478 | if (min (PTRDIFF_MAX, SIZE_MAX) / (2 * sizeof *newmodes) - 3 | ||
| 1479 | < cmm_size) | ||
| 1480 | break; | ||
| 1481 | |||
| 1475 | newsize = cmm_size == 0 ? 30 : cmm_size * 2; | 1482 | newsize = cmm_size == 0 ? 30 : cmm_size * 2; |
| 1476 | allocsize = newsize * sizeof *newmodes; | 1483 | allocsize = newsize * sizeof *newmodes; |
| 1477 | 1484 | ||
diff --git a/src/keymap.h b/src/keymap.h index 2c826b64e1f..ec9d4cadbb1 100644 --- a/src/keymap.h +++ b/src/keymap.h | |||
| @@ -38,7 +38,7 @@ extern Lisp_Object get_keymap (Lisp_Object, int, int); | |||
| 38 | EXFUN (Fset_keymap_parent, 2); | 38 | EXFUN (Fset_keymap_parent, 2); |
| 39 | extern int describe_map_tree (Lisp_Object, int, Lisp_Object, Lisp_Object, | 39 | extern int describe_map_tree (Lisp_Object, int, Lisp_Object, Lisp_Object, |
| 40 | const char *, int, int, int, int); | 40 | const char *, int, int, int, int); |
| 41 | extern int current_minor_maps (Lisp_Object **, Lisp_Object **); | 41 | extern ptrdiff_t current_minor_maps (Lisp_Object **, Lisp_Object **); |
| 42 | extern void initial_define_key (Lisp_Object, int, const char *); | 42 | extern void initial_define_key (Lisp_Object, int, const char *); |
| 43 | extern void initial_define_lispy_key (Lisp_Object, const char *, const char *); | 43 | extern void initial_define_lispy_key (Lisp_Object, const char *, const char *); |
| 44 | extern void syms_of_keymap (void); | 44 | extern void syms_of_keymap (void); |