Merge: Integer overflow and signedness fixes (Bug#8873).

A few related buffer overrun fixes, too.
author: Paul Eggert 2011-06-22 09:15:41 -0700
committer: Paul Eggert 2011-06-22 09:15:41 -0700
commit: 31fd4b3280acee4030efde84a0e23ae2b006ee31 (patch)
tree: 0b2245daf7e6f772cbaabf8916faeb34683bb390 /src/ChangeLog
parent: ddb7ffeeb8ace6501eb453f50f0f9f6852eda21f (diff)
parent: 510005210ac9f4d813c4a2cc99b2c3c11e57c055 (diff)
download: emacs-31fd4b3280acee4030efde84a0e23ae2b006ee31.tar.gz
emacs-31fd4b3280acee4030efde84a0e23ae2b006ee31.zip
1 files changed, 202 insertions, 0 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 571979ea132..051bcef6cf9 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,205 @@
+2011-06-22  Paul Eggert  <eggert@cs.ucla.edu>
+        Integer overflow and signedness fixes (Bug#8873).
+        A few related buffer overrun fixes, too.
+        * font.c (font_score): Use EMACS_INT, not int, to store XINT value.
+        * dispextern.h (struct face.stipple):
+        * image.c (x_bitmap_height, x_bitmap_width, x_bitmap_pixmap)
+        (x_bitmap_mask, x_allocate_bitmap_record)
+        (x_create_bitmap_from_data, x_create_bitmap_from_file)
+        (x_destroy_bitmap, x_destroy_all_bitmaps, x_create_bitmap_mask)
+        (x_create_bitmap_from_xpm_data):
+        * nsterm.h (struct ns_display_info.bitmaps_size, .bitmaps_last):
+        * w32term.h (struct w32_display_info.icon_bitmap_id, .bitmaps_size)
+        (.bitmaps_last):
+        * xfaces.c (load_pixmap):
+        * xterm.c (x_bitmap_icon, x_wm_set_icon_pixmap):
+        * xterm.h (struct x_display_info.icon_bitmap_id, .bitmaps_size)
+        (.bitmaps_last, struct x_output.icon_bitmap):
+        Use ptrdiff_t, not int, for bitmap indexes.
+        (x_allocate_bitmap_record): Check for size overflow.
+        * dispextern.h, lisp.h: Adjust to API changes elsewhere.
+        Use ptrdiff_t, not int, for overlay counts.
+        * buffer.h (overlays_at, sort_overlays, GET_OVERLAYS_AT):
+        * editfns.c (overlays_around, get_pos_property):
+        * textprop.c (get_char_property_and_overlay):
+        * xdisp.c (next_overlay_change, note_mouse_highlight):
+        * xfaces.c (face_at_buffer_position):
+        * buffer.c (OVERLAY_COUNT_MAX): New macro.
+        (overlays_at, overlays_in, sort_overlays, Foverlays_at)
+        (Fnext_overlay_change, Fprevious_overlay_change)
+        (mouse_face_overlay_overlaps, Foverlays_in):
+        Use ptrdiff_t, not int, for sizes.
+        (overlays_at, overlays_in): Check for size-calculation overflow.
+        * xterm.c (xim_initialize, same_x_server): Strlen may not fit in int.
+        * xsmfns.c (smc_save_yourself_CB, x_session_initialize): Avoid strlen.
+        (x_session_initialize): Do not assume string length fits in int.
+        * xsettings.c (apply_xft_settings): Fix potential buffer overrun.
+        This is unlikely, but can occur if DPI is outlandish.
+        * xsettings.c (Ffont_get_system_normal_font, Ffont_get_system_font):
+        * xselect.c (Fx_get_atom_name): Avoid need for strlen.
+        * xrdb.c: Don't assume strlen fits in int; avoid some strlens.
+        * xrdb.c (magic_file_p, search_magic_path):
+        Omit last arg SUFFIX; it was always 0.  All callers changed.
+        (magic_file_p): Use ptrdiff_t, not int.  Check for size overflow.
+        * xfont.c (xfont_match): Avoid need for strlen.
+        * xfns.c: Don't assume strlen fits in int.
+        (xic_create_fontsetname, x_window): Use ptrdiff_t, not int.
+        * xdisp.c (message_log_check_duplicate): Return intmax_t,
+        not unsigned long, as we prefer signed integers.  All callers changed.
+        Detect integer overflow in repeat count.
+        (message_dolog): Don't assume print length fits in 39 bytes.
+        (display_mode_element): Don't assume strlen fits in int.
+        * termcap.c: Don't assume sizes fit in int and never overflow.
+        (struct termcap_buffer, tgetent): Use ptrdiff_t, not int, for sizes.
+        (gobble_line): Check for size-calculation overflow.
+        * minibuf.c (Fread_buffer):
+        * lread.c (intern, intern_c_string):
+        * image.c (xpm_scan) [HAVE_NS && !HAVE_XPM]:
+        Don't assume string length fits in int.
+        * keyboard.c (parse_tool_bar_item):
+        * gtkutil.c (style_changed_cb): Avoid need for strlen.
+        * font.c: Don't assume string length fits in int.
+        (font_parse_xlfd, font_parse_fcname, font_unparse_fcname):
+        Use ptrdiff_t, not int.
+        (font_intern_prop): Don't assume string length fits in int.
+        Don't assume integer property fits in fixnum.
+        * font.h (font_intern_prop): 2nd arg is now ptrdiff_t, not int.
+        * filelock.c: Fix some buffer overrun and integer overflow issues.
+        (get_boot_time): Don't assume gzip command string fits in 100 bytes.
+        Reformulate so as not to need the command string.
+        Invoke gzip -cd rather than gunzip, as it's more portable.
+        (lock_info_type, lock_file_1, lock_file):
+        Don't assume pid_t and time_t fit in unsigned long.
+        (LOCK_PID_MAX): Remove; we now use more-reliable bounds.
+        (current_lock_owner): Prefer signed type for sizes.
+        Use memcpy, not strncpy, where memcpy is what is really wanted.
+        Don't assume (via atoi) that time_t and pid_t fit in int.
+        Check for time_t and/or pid_t out of range, e.g., via a network share.
+        Don't alloca where an auto var works fine.
+        * fileio.c: Fix some integer overflow issues.
+        (file_name_as_directory, Fexpand_file_name, Fsubstitute_in_file_name):
+        Don't assume string length fits in int.
+        (directory_file_name): Don't assume string length fits in long.
+        (make_temp_name): Don't assume pid fits in int, or that its print
+        length is less than 20.
+        * data.c (Fsubr_name): Rewrite to avoid a strlen call.
+        * coding.c (make_subsidiaries): Don't assume string length fits in int.
+        * callproc.c (child_setup): Rewrite to avoid two strlen calls.
+        * process.c (Fformat_network_address): Use EMACS_INT, not EMACS_UINT.
+        We prefer signed integers, even for size calculations.
+        * emacs.c: Don't assume string length fits in 'int'.
+        (DEFINE_DUMMY_FUNCTION, sort_args): Use ptrdiff_t, not int.
+        (main): Don't invoke strlen when not needed.
+        * dbusbind.c (XD_ERROR): Don't arbitrarily truncate string.
+        (XD_DEBUG_MESSAGE): Don't waste a byte.
+        * callproc.c (getenv_internal_1, getenv_internal)
+        (Fgetenv_internal):
+        * buffer.c (init_buffer): Don't assume string length fits in 'int'.
+        * lread.c (invalid_syntax): Omit length argument.
+        All uses changed.  This doesn't fix a bug, but it simplifies the
+        code away from its former Hollerith-constant appearance, and it's
+        one less 'int' to worry about when looking at integer-overflow issues.
+        (string_to_number): Simplify 2011-04-26 change by invoking xsignal1.
+        * lisp.h (DEFUN): Remove bogus use of sizeof (struct Lisp_Subr).
+        This didn't break anything, but it didn't help either.
+        It's confusing to put a bogus integer in a place where the actual
+        value does not matter.
+        (LIST_END_P): Remove unused macro and its bogus comment.
+        (make_fixnum_or_float): Remove unnecessary cast to EMACS_INT.
+        * lisp.h (union Lisp_Object.i): EMACS_INT, not EMACS_UINT.
+        This is for consistency with the ordinary, non-USE_LISP_UNION_TYPE,
+        implementation.
+        (struct Lisp_Bool_Vector.size): EMACS_INT, not EMACS_UINT.
+        We prefer signed types, and the value cannot exceed the EMACS_INT
+        range anyway (because otherwise the length would not be representable).
+        (XSET) [USE_LISP_UNION_TYPE]: Use uintptr_t and intptr_t,
+        not EMACS_UINT and EMACS_INT, when converting pointer to integer.
+        This avoids a GCC warning when WIDE_EMACS_INT.
+        * indent.c (sane_tab_width): New function.
+        (current_column, scan_for_column, Findent_to, position_indentation)
+        (compute_motion): Use it.  This is just for clarity.
+        (Fcompute_motion): Don't assume hscroll and tab offset fit in int.
+        * image.c (xbm_image_p): Don't assume stated width, height fit in int.
+        * lisp.h (lint_assume): New macro.
+        * composite.c (composition_gstring_put_cache):
+        * ftfont.c (ftfont_shape_by_flt): Use it to pacify GCC 4.6.0.
+        * editfns.c, insdel.c:
+        Omit unnecessary forward decls, to simplify future changes.
+        * ftfont.c (ftfont_shape_by_flt): Use signed integers for lengths.
+        * font.c (Ffont_shape_gstring): Don't assume glyph len fits in 'int'.
+        * fns.c (Ffillarray): Don't assume bool vector size fits in 'int'.
+        Use much-faster test for byte-length change.
+        Don't assume string byte-length fits in 'int'.
+        Check that character arg fits in 'int'.
+        (mapcar1): Declare byte as byte, for clarity.
+        * alloc.c (Fmake_bool_vector): Avoid unnecessary multiplication.
+        * fns.c (concat): Catch string overflow earlier.
+        Do not rely on integer wraparound.
+        * dispextern.h (struct it.overlay_strings_charpos)
+        (struct it.selective): Now EMACS_INT, not int.
+        * xdisp.c (forward_to_next_line_start)
+        (back_to_previous_visible_line_start)
+        (reseat_at_next_visible_line_start, next_element_from_buffer):
+        Don't arbitrarily truncate the value of 'selective' to int.
+        * xdisp.c (init_iterator): Use XINT, not XFASTINT; it might be < 0.
+        * composite.c: Don't truncate sizes to 'int'.
+        (composition_gstring_p, composition_reseat_it)
+        (composition_adjust_point): Use EMACS_INT, not int.
+        (get_composition_id, composition_gstring_put_cache): Use EMACS_INT,
+        not EMACS_UINT, for indexes.
+        * category.h (CATEGORY_SET_P): Remove unnecessary cast to EMACS_INT.
+        * buffer.c: Include <verify.h>.
+        (struct sortvec.priority, struct sortstr.priority):
+        Now EMACS_INT, not int.
+        (compare_overlays, cmp_for_strings): Avoid subtraction overflow.
+        (struct sortstr.size, record_overlay_string)
+        (struct sortstrlist.size, struct sortlist.used):
+        Don't truncate size to int.
+        (record_overlay_string): Check for size-calculation overflow.
+        (init_buffer_once): Check at compile-time, not run-time.
 2011-06-22  Jim Meyering  <meyering@redhat.com>
        don't leak an XBM-image-sized buffer
author	Paul Eggert	2011-06-22 09:15:41 -0700
committer	Paul Eggert	2011-06-22 09:15:41 -0700
commit	31fd4b3280acee4030efde84a0e23ae2b006ee31 (patch)
tree	0b2245daf7e6f772cbaabf8916faeb34683bb390 /src/ChangeLog
parent	ddb7ffeeb8ace6501eb453f50f0f9f6852eda21f (diff)
parent	510005210ac9f4d813c4a2cc99b2c3c11e57c055 (diff)
download	emacs-31fd4b3280acee4030efde84a0e23ae2b006ee31.tar.gz emacs-31fd4b3280acee4030efde84a0e23ae2b006ee31.zip

diff --git a/src/ChangeLog b/src/ChangeLog index 571979ea132..051bcef6cf9 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,3 +1,205 @@
		1	2011-06-22 Paul Eggert <eggert@cs.ucla.edu>
		2
		3	Integer overflow and signedness fixes (Bug#8873).
		4	A few related buffer overrun fixes, too.
		5
		6	* font.c (font_score): Use EMACS_INT, not int, to store XINT value.
		7
		8	* dispextern.h (struct face.stipple):
		9	* image.c (x_bitmap_height, x_bitmap_width, x_bitmap_pixmap)
		10	(x_bitmap_mask, x_allocate_bitmap_record)
		11	(x_create_bitmap_from_data, x_create_bitmap_from_file)
		12	(x_destroy_bitmap, x_destroy_all_bitmaps, x_create_bitmap_mask)
		13	(x_create_bitmap_from_xpm_data):
		14	* nsterm.h (struct ns_display_info.bitmaps_size, .bitmaps_last):
		15	* w32term.h (struct w32_display_info.icon_bitmap_id, .bitmaps_size)
		16	(.bitmaps_last):
		17	* xfaces.c (load_pixmap):
		18	* xterm.c (x_bitmap_icon, x_wm_set_icon_pixmap):
		19	* xterm.h (struct x_display_info.icon_bitmap_id, .bitmaps_size)
		20	(.bitmaps_last, struct x_output.icon_bitmap):
		21	Use ptrdiff_t, not int, for bitmap indexes.
		22	(x_allocate_bitmap_record): Check for size overflow.
		23	* dispextern.h, lisp.h: Adjust to API changes elsewhere.
		24
		25	Use ptrdiff_t, not int, for overlay counts.
		26	* buffer.h (overlays_at, sort_overlays, GET_OVERLAYS_AT):
		27	* editfns.c (overlays_around, get_pos_property):
		28	* textprop.c (get_char_property_and_overlay):
		29	* xdisp.c (next_overlay_change, note_mouse_highlight):
		30	* xfaces.c (face_at_buffer_position):
		31	* buffer.c (OVERLAY_COUNT_MAX): New macro.
		32	(overlays_at, overlays_in, sort_overlays, Foverlays_at)
		33	(Fnext_overlay_change, Fprevious_overlay_change)
		34	(mouse_face_overlay_overlaps, Foverlays_in):
		35	Use ptrdiff_t, not int, for sizes.
		36	(overlays_at, overlays_in): Check for size-calculation overflow.
		37
		38	* xterm.c (xim_initialize, same_x_server): Strlen may not fit in int.
		39
		40	* xsmfns.c (smc_save_yourself_CB, x_session_initialize): Avoid strlen.
		41	(x_session_initialize): Do not assume string length fits in int.
		42
		43	* xsettings.c (apply_xft_settings): Fix potential buffer overrun.
		44	This is unlikely, but can occur if DPI is outlandish.
		45
		46	* xsettings.c (Ffont_get_system_normal_font, Ffont_get_system_font):
		47	* xselect.c (Fx_get_atom_name): Avoid need for strlen.
		48
		49	* xrdb.c: Don't assume strlen fits in int; avoid some strlens.
		50	* xrdb.c (magic_file_p, search_magic_path):
		51	Omit last arg SUFFIX; it was always 0. All callers changed.
		52	(magic_file_p): Use ptrdiff_t, not int. Check for size overflow.
		53
		54	* xfont.c (xfont_match): Avoid need for strlen.
		55
		56	* xfns.c: Don't assume strlen fits in int.
		57	(xic_create_fontsetname, x_window): Use ptrdiff_t, not int.
		58
		59	* xdisp.c (message_log_check_duplicate): Return intmax_t,
		60	not unsigned long, as we prefer signed integers. All callers changed.
		61	Detect integer overflow in repeat count.
		62	(message_dolog): Don't assume print length fits in 39 bytes.
		63	(display_mode_element): Don't assume strlen fits in int.
		64
		65	* termcap.c: Don't assume sizes fit in int and never overflow.
		66	(struct termcap_buffer, tgetent): Use ptrdiff_t, not int, for sizes.
		67	(gobble_line): Check for size-calculation overflow.
		68
		69	* minibuf.c (Fread_buffer):
		70	* lread.c (intern, intern_c_string):
		71	* image.c (xpm_scan) [HAVE_NS && !HAVE_XPM]:
		72	Don't assume string length fits in int.
		73
		74	* keyboard.c (parse_tool_bar_item):
		75	* gtkutil.c (style_changed_cb): Avoid need for strlen.
		76
		77	* font.c: Don't assume string length fits in int.
		78	(font_parse_xlfd, font_parse_fcname, font_unparse_fcname):
		79	Use ptrdiff_t, not int.
		80	(font_intern_prop): Don't assume string length fits in int.
		81	Don't assume integer property fits in fixnum.
		82	* font.h (font_intern_prop): 2nd arg is now ptrdiff_t, not int.
		83
		84	* filelock.c: Fix some buffer overrun and integer overflow issues.
		85	(get_boot_time): Don't assume gzip command string fits in 100 bytes.
		86	Reformulate so as not to need the command string.
		87	Invoke gzip -cd rather than gunzip, as it's more portable.
		88	(lock_info_type, lock_file_1, lock_file):
		89	Don't assume pid_t and time_t fit in unsigned long.
		90	(LOCK_PID_MAX): Remove; we now use more-reliable bounds.
		91	(current_lock_owner): Prefer signed type for sizes.
		92	Use memcpy, not strncpy, where memcpy is what is really wanted.
		93	Don't assume (via atoi) that time_t and pid_t fit in int.
		94	Check for time_t and/or pid_t out of range, e.g., via a network share.
		95	Don't alloca where an auto var works fine.
		96
		97	* fileio.c: Fix some integer overflow issues.
		98	(file_name_as_directory, Fexpand_file_name, Fsubstitute_in_file_name):
		99	Don't assume string length fits in int.
		100	(directory_file_name): Don't assume string length fits in long.
		101	(make_temp_name): Don't assume pid fits in int, or that its print
		102	length is less than 20.
		103
		104	* data.c (Fsubr_name): Rewrite to avoid a strlen call.
		105
		106	* coding.c (make_subsidiaries): Don't assume string length fits in int.
		107
		108	* callproc.c (child_setup): Rewrite to avoid two strlen calls.
		109
		110	* process.c (Fformat_network_address): Use EMACS_INT, not EMACS_UINT.
		111	We prefer signed integers, even for size calculations.
		112
		113	* emacs.c: Don't assume string length fits in 'int'.
		114	(DEFINE_DUMMY_FUNCTION, sort_args): Use ptrdiff_t, not int.
		115	(main): Don't invoke strlen when not needed.
		116
		117	* dbusbind.c (XD_ERROR): Don't arbitrarily truncate string.
		118	(XD_DEBUG_MESSAGE): Don't waste a byte.
		119
		120	* callproc.c (getenv_internal_1, getenv_internal)
		121	(Fgetenv_internal):
		122	* buffer.c (init_buffer): Don't assume string length fits in 'int'.
		123
		124	* lread.c (invalid_syntax): Omit length argument.
		125	All uses changed. This doesn't fix a bug, but it simplifies the
		126	code away from its former Hollerith-constant appearance, and it's
		127	one less 'int' to worry about when looking at integer-overflow issues.
		128	(string_to_number): Simplify 2011-04-26 change by invoking xsignal1.
		129
		130	* lisp.h (DEFUN): Remove bogus use of sizeof (struct Lisp_Subr).
		131	This didn't break anything, but it didn't help either.
		132	It's confusing to put a bogus integer in a place where the actual
		133	value does not matter.
		134	(LIST_END_P): Remove unused macro and its bogus comment.
		135	(make_fixnum_or_float): Remove unnecessary cast to EMACS_INT.
		136
		137	* lisp.h (union Lisp_Object.i): EMACS_INT, not EMACS_UINT.
		138	This is for consistency with the ordinary, non-USE_LISP_UNION_TYPE,
		139	implementation.
		140	(struct Lisp_Bool_Vector.size): EMACS_INT, not EMACS_UINT.
		141	We prefer signed types, and the value cannot exceed the EMACS_INT
		142	range anyway (because otherwise the length would not be representable).
		143	(XSET) [USE_LISP_UNION_TYPE]: Use uintptr_t and intptr_t,
		144	not EMACS_UINT and EMACS_INT, when converting pointer to integer.
		145	This avoids a GCC warning when WIDE_EMACS_INT.
		146
		147	* indent.c (sane_tab_width): New function.
		148	(current_column, scan_for_column, Findent_to, position_indentation)
		149	(compute_motion): Use it. This is just for clarity.
		150	(Fcompute_motion): Don't assume hscroll and tab offset fit in int.
		151
		152	* image.c (xbm_image_p): Don't assume stated width, height fit in int.
		153
		154	* lisp.h (lint_assume): New macro.
		155	* composite.c (composition_gstring_put_cache):
		156	* ftfont.c (ftfont_shape_by_flt): Use it to pacify GCC 4.6.0.
		157
		158	* editfns.c, insdel.c:
		159	Omit unnecessary forward decls, to simplify future changes.
		160
		161	* ftfont.c (ftfont_shape_by_flt): Use signed integers for lengths.
		162
		163	* font.c (Ffont_shape_gstring): Don't assume glyph len fits in 'int'.
		164
		165	* fns.c (Ffillarray): Don't assume bool vector size fits in 'int'.
		166	Use much-faster test for byte-length change.
		167	Don't assume string byte-length fits in 'int'.
		168	Check that character arg fits in 'int'.
		169	(mapcar1): Declare byte as byte, for clarity.
		170
		171	* alloc.c (Fmake_bool_vector): Avoid unnecessary multiplication.
		172
		173	* fns.c (concat): Catch string overflow earlier.
		174	Do not rely on integer wraparound.
		175
		176	* dispextern.h (struct it.overlay_strings_charpos)
		177	(struct it.selective): Now EMACS_INT, not int.
		178	* xdisp.c (forward_to_next_line_start)
		179	(back_to_previous_visible_line_start)
		180	(reseat_at_next_visible_line_start, next_element_from_buffer):
		181	Don't arbitrarily truncate the value of 'selective' to int.
		182
		183	* xdisp.c (init_iterator): Use XINT, not XFASTINT; it might be < 0.
		184
		185	* composite.c: Don't truncate sizes to 'int'.
		186	(composition_gstring_p, composition_reseat_it)
		187	(composition_adjust_point): Use EMACS_INT, not int.
		188	(get_composition_id, composition_gstring_put_cache): Use EMACS_INT,
		189	not EMACS_UINT, for indexes.
		190
		191	* category.h (CATEGORY_SET_P): Remove unnecessary cast to EMACS_INT.
		192
		193	* buffer.c: Include <verify.h>.
		194	(struct sortvec.priority, struct sortstr.priority):
		195	Now EMACS_INT, not int.
		196	(compare_overlays, cmp_for_strings): Avoid subtraction overflow.
		197	(struct sortstr.size, record_overlay_string)
		198	(struct sortstrlist.size, struct sortlist.used):
		199	Don't truncate size to int.
		200	(record_overlay_string): Check for size-calculation overflow.
		201	(init_buffer_once): Check at compile-time, not run-time.
		202
1	2011-06-22 Jim Meyering <meyering@redhat.com>	203	2011-06-22 Jim Meyering <meyering@redhat.com>
2		204
3	don't leak an XBM-image-sized buffer	205	don't leak an XBM-image-sized buffer