Merge: Integer overflow fixes.

author: Paul Eggert 2011-05-27 12:37:32 -0700
committer: Paul Eggert 2011-05-27 12:37:32 -0700
commit: 0f6990a78ae5016d8ae73253cdb4739adf0197e7 (patch)
tree: 78c7860e14d7cf6bc73526174493a02e606dfc13 /src/ChangeLog
parent: fb1ac845caea7da6ba98b93c3d67fa67c651b8ef (diff)
parent: b57f7e0a357aacf98ec5be826f7227f37e9806b8 (diff)
download: emacs-0f6990a78ae5016d8ae73253cdb4739adf0197e7.tar.gz
emacs-0f6990a78ae5016d8ae73253cdb4739adf0197e7.zip
1 files changed, 82 insertions, 0 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 1ffeba88607..d45543c8d36 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,87 @@
 2011-05-27  Paul Eggert  <eggert@cs.ucla.edu>
+        Integer overflow fixes.
+        * dbusbind.c: Serial number integer overflow fixes.
+        (CHECK_DBUS_SERIAL_GET_SERIAL): New macro.
+        (Fdbus_call_method_asynchronously, xd_read_message_1): Use a float
+        to hold a serial number that is too large for a fixnum.
+        (Fdbus_method_return_internal, Fdbus_method_error_internal):
+        Check for serial numbers out of range.  Decode any serial number
+        that was so large that it became a float.  (Bug#8722)
+        * dbusbind.c: Use XFASTINT rather than XUINT, and check for nonneg.
+        (Fdbus_call_method, Fdbus_call_method_asynchronously):
+        Use XFASTINT rather than XUINT when numbers are nonnegative.
+        (xd_append_arg, Fdbus_method_return_internal):
+        (Fdbus_method_error_internal): Likewise.  Also, for unsigned
+        arguments, check that Lisp number is nonnegative, rather than
+        silently wrapping negative numbers around.  (Bug#8722)
+        (xd_read_message_1): Don't assume dbus_uint32_t can fit in int.
+        (Bug#8722)
+        * data.c (arith_driver, Flsh): Avoid unnecessary casts to EMACS_UINT.
+        * ccl.c (ccl_driver): Redo slightly to avoid the need for 'unsigned'.
+        ccl: add integer overflow checks
+        * ccl.c (CCL_CODE_MAX, GET_CCL_RANGE, GET_CCL_CODE, GET_CCL_INT):
+        (IN_INT_RANGE): New macros.
+        (ccl_driver): Use them to check for integer overflow when
+        decoding a CCL program.  Many of the new checks are whether XINT (x)
+        fits in int; it doesn't always, on 64-bit hosts.  The new version
+        doesn't catch all possible integer overflows, but it's an
+        improvement.  (Bug#8719)
+        * alloc.c (make_event_array): Use XINT, not XUINT.
+        There's no need for unsigned here.
+        * mem-limits.h (EXCEEDS_LISP_PTR) [!USE_LSB_TAG]: EMACS_UINT -> uintptr_t
+        This follows up to the 2011-05-06 change that substituted uintptr_t
+        for EMACS_INT.  This case wasn't caught back then.
+        Rework Fformat to avoid integer overflow issues.
+        * editfns.c: Include <float.h> unconditionally, as it's everywhere
+        now (part of C89).  Include <verify.h>.
+        (MAX_10_EXP, CONVERTED_BYTE_SIZE): Remove; no longer needed.
+        (pWIDE, pWIDElen, signed_wide, unsigned_wide): New defns.
+        (Fformat): Avoid the prepass trying to compute sizes; it was only
+        approximate and thus did not catch overflow reliably.  Instead, walk
+        through the format just once, formatting and computing sizes as we go,
+        checking for integer overflow at every step, and allocating a larger
+        buffer as needed.  Keep track separately whether the format is
+        multibyte.  Keep only the most-recently calculated precision, rather
+        than them all.  Record whether each argument has been converted to
+        string.  Use EMACS_INT, not int, for byte and char and arg counts.
+        Support field widths and precisions larger than INT_MAX.  Avoid
+        sprintf's undefined behavior with conversion specifications such as %#d
+        and %.0c.  Fix bug with strchr succeeding on '\0' when looking for
+        flags.  Fix bug with (format "%c" 256.0).  Avoid integer overflow when
+        formatting out-of-range floating point numbers with int
+        formats. (Bug#8668)
+        * lisp.h (FIXNUM_OVERFLOW_P): Work even if arg is a NaN.
+        * data.c: Avoid integer truncation in expressions involving floats.
+        * data.c: Include <intprops.h>.
+        (arith_driver): When there's an integer overflow in an expression
+        involving floating point, convert the integers to floating point
+        so that the resulting value does not suffer from catastrophic
+        integer truncation.  For example, on a 64-bit host (* 4
+        most-negative-fixnum 0.5) should yield about -4.6e+18, not zero.
+        Do not rely on undefined behavior after integer overflow.
+        merge count_size_as_multibyte, parse_str_to_multibyte
+        * character.c, character.h (count_size_as_multibyte):
+        Renamed from parse_str_to_multibyte; all uses changed.
+        Check for integer overflow.
+        * insdel.c, lisp.h (count_size_as_multibyte): Remove,
+        since it's now a duplicate of the other.  This is more of
+        a character than a buffer op, so better that it's in character.c.
+        * fns.c, print.c: Adjust to above changes.
+2011-05-27  Paul Eggert  <eggert@cs.ucla.edu>
        * xselect.c: Fix minor problems prompted by GCC 4.6.0 warnings.
        (x_handle_selection_request, frame_for_x_selection): Remove unused vars.
        (x_clipboard_manager_save): Now static.
author	Paul Eggert	2011-05-27 12:37:32 -0700
committer	Paul Eggert	2011-05-27 12:37:32 -0700
commit	0f6990a78ae5016d8ae73253cdb4739adf0197e7 (patch)
tree	78c7860e14d7cf6bc73526174493a02e606dfc13 /src/ChangeLog
parent	fb1ac845caea7da6ba98b93c3d67fa67c651b8ef (diff)
parent	b57f7e0a357aacf98ec5be826f7227f37e9806b8 (diff)
download	emacs-0f6990a78ae5016d8ae73253cdb4739adf0197e7.tar.gz emacs-0f6990a78ae5016d8ae73253cdb4739adf0197e7.zip

diff --git a/src/ChangeLog b/src/ChangeLog index 1ffeba88607..d45543c8d36 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,5 +1,87 @@
1	2011-05-27 Paul Eggert <eggert@cs.ucla.edu>	1	2011-05-27 Paul Eggert <eggert@cs.ucla.edu>
2		2
		3	Integer overflow fixes.
		4
		5	* dbusbind.c: Serial number integer overflow fixes.
		6	(CHECK_DBUS_SERIAL_GET_SERIAL): New macro.
		7	(Fdbus_call_method_asynchronously, xd_read_message_1): Use a float
		8	to hold a serial number that is too large for a fixnum.
		9	(Fdbus_method_return_internal, Fdbus_method_error_internal):
		10	Check for serial numbers out of range. Decode any serial number
		11	that was so large that it became a float. (Bug#8722)
		12
		13	* dbusbind.c: Use XFASTINT rather than XUINT, and check for nonneg.
		14	(Fdbus_call_method, Fdbus_call_method_asynchronously):
		15	Use XFASTINT rather than XUINT when numbers are nonnegative.
		16	(xd_append_arg, Fdbus_method_return_internal):
		17	(Fdbus_method_error_internal): Likewise. Also, for unsigned
		18	arguments, check that Lisp number is nonnegative, rather than
		19	silently wrapping negative numbers around. (Bug#8722)
		20	(xd_read_message_1): Don't assume dbus_uint32_t can fit in int.
		21	(Bug#8722)
		22
		23	* data.c (arith_driver, Flsh): Avoid unnecessary casts to EMACS_UINT.
		24
		25	* ccl.c (ccl_driver): Redo slightly to avoid the need for 'unsigned'.
		26
		27	ccl: add integer overflow checks
		28	* ccl.c (CCL_CODE_MAX, GET_CCL_RANGE, GET_CCL_CODE, GET_CCL_INT):
		29	(IN_INT_RANGE): New macros.
		30	(ccl_driver): Use them to check for integer overflow when
		31	decoding a CCL program. Many of the new checks are whether XINT (x)
		32	fits in int; it doesn't always, on 64-bit hosts. The new version
		33	doesn't catch all possible integer overflows, but it's an
		34	improvement. (Bug#8719)
		35
		36	* alloc.c (make_event_array): Use XINT, not XUINT.
		37	There's no need for unsigned here.
		38
		39	* mem-limits.h (EXCEEDS_LISP_PTR) [!USE_LSB_TAG]: EMACS_UINT -> uintptr_t
		40	This follows up to the 2011-05-06 change that substituted uintptr_t
		41	for EMACS_INT. This case wasn't caught back then.
		42
		43	Rework Fformat to avoid integer overflow issues.
		44	* editfns.c: Include <float.h> unconditionally, as it's everywhere
		45	now (part of C89). Include <verify.h>.
		46	(MAX_10_EXP, CONVERTED_BYTE_SIZE): Remove; no longer needed.
		47	(pWIDE, pWIDElen, signed_wide, unsigned_wide): New defns.
		48	(Fformat): Avoid the prepass trying to compute sizes; it was only
		49	approximate and thus did not catch overflow reliably. Instead, walk
		50	through the format just once, formatting and computing sizes as we go,
		51	checking for integer overflow at every step, and allocating a larger
		52	buffer as needed. Keep track separately whether the format is
		53	multibyte. Keep only the most-recently calculated precision, rather
		54	than them all. Record whether each argument has been converted to
		55	string. Use EMACS_INT, not int, for byte and char and arg counts.
		56	Support field widths and precisions larger than INT_MAX. Avoid
		57	sprintf's undefined behavior with conversion specifications such as %#d
		58	and %.0c. Fix bug with strchr succeeding on '\0' when looking for
		59	flags. Fix bug with (format "%c" 256.0). Avoid integer overflow when
		60	formatting out-of-range floating point numbers with int
		61	formats. (Bug#8668)
		62
		63	* lisp.h (FIXNUM_OVERFLOW_P): Work even if arg is a NaN.
		64
		65	* data.c: Avoid integer truncation in expressions involving floats.
		66	* data.c: Include <intprops.h>.
		67	(arith_driver): When there's an integer overflow in an expression
		68	involving floating point, convert the integers to floating point
		69	so that the resulting value does not suffer from catastrophic
		70	integer truncation. For example, on a 64-bit host (* 4
		71	most-negative-fixnum 0.5) should yield about -4.6e+18, not zero.
		72	Do not rely on undefined behavior after integer overflow.
		73
		74	merge count_size_as_multibyte, parse_str_to_multibyte
		75	* character.c, character.h (count_size_as_multibyte):
		76	Renamed from parse_str_to_multibyte; all uses changed.
		77	Check for integer overflow.
		78	* insdel.c, lisp.h (count_size_as_multibyte): Remove,
		79	since it's now a duplicate of the other. This is more of
		80	a character than a buffer op, so better that it's in character.c.
		81	* fns.c, print.c: Adjust to above changes.
		82
		83	2011-05-27 Paul Eggert <eggert@cs.ucla.edu>
		84
3	* xselect.c: Fix minor problems prompted by GCC 4.6.0 warnings.	85	* xselect.c: Fix minor problems prompted by GCC 4.6.0 warnings.
4	(x_handle_selection_request, frame_for_x_selection): Remove unused vars.	86	(x_handle_selection_request, frame_for_x_selection): Remove unused vars.
5	(x_clipboard_manager_save): Now static.	87	(x_clipboard_manager_save): Now static.