* xselect.c: Integer and memory overflow issues.

(X_LONG_SIZE, X_USHRT_MAX, X_ULONG_MAX): New macros. Use them to make the following changes clearer. (MAX_SELECTION_QUANTUM): Make the other bounds on this value clearer. This change doesn't affect the value now, but it may help remind future maintainers not to raise the value too much later. (SELECTION_QUANTUM): Remove, replacing with ... (selection_quantum): ... new function, which avoids overflow. All uses changed. (struct selection_data.size): Now ptrdiff_t, not int, to avoid assumption that selection length fits in 'int'. (x_reply_selection_request, x_handle_selection_request) (x_get_window_property, receive_incremental_selection) (x_get_window_property_as_lisp_data, selection_data_to_lisp_data) (lisp_data_to_selection_data, clean_local_selection_data): Use ptrdiff_t, not int, to record length of selection. (x_reply_selection_request, x_get_window_property) (receive_incremental_selection, x_property_data_to_lisp): Redo calculations to avoid overflow. (x_reply_selection_request): When sending hint, ceiling it at X_ULONG_MAX rather than relying on wraparound overflow to send something. (x_get_window_property, receive_incremental_selection) (lisp_data_to_selection_data, x_property_data_to_lisp): Check for size-calculation overflow. (x_get_window_property, receive_incremental_selection) (lisp_data_to_selection_data, Fx_register_dnd_atom): Don't store size until memory allocation succeeds. (x_get_window_property): Plug memory leak on memory exhaustion. Don't double-block input; malloc is safe here. Don't assume 2**34 - 4 fits in unsigned long. Add an xassert to check XGetWindowProperty overflow. Be more careful about overflow calculations, and distinguish size from memory overflow better. (receive_incremental_selection): When tracing, don't assume unsigned int is less than INT_MAX. (x_selection_data_to_lisp_data): Remove unnecessary (and in theory harmful) conversions of unsigned short to int. (lisp_data_to_selection_data): Don't assume that integers in the range -65535 through -1 fit in an X unsigned short. Don't assume that ULONG_MAX == X_ULONG_MAX. Don't store into result parameters unless successful. Rely on cons_to_unsigned to report problems with elements; the old code wasn't right anyway. (x_check_property_data): Check for int overflow; we cannot use a wider type due to X limits. (x_handle_dnd_message): Use unsigned int, to avoid int overflow.
author: Paul Eggert 2011-07-28 22:08:30 -0700
committer: Paul Eggert 2011-07-28 22:08:30 -0700
commit: 864d7ce76d118b7bc157176a03a0a8a1b02fd989 (patch)
tree: 0b7a4cb6cb22ace9f19c313b3b966b3d56878791 /src/ChangeLog
parent: a3d9c2a4ce11ea001c9ac97c8a6fb9a4f9a1d1ac (diff)
download: emacs-864d7ce76d118b7bc157176a03a0a8a1b02fd989.tar.gz
emacs-864d7ce76d118b7bc157176a03a0a8a1b02fd989.zip
1 files changed, 46 insertions, 0 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 09ee5a8e4dc..f8e5ca78b33 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,51 @@
 2011-07-29  Paul Eggert  <eggert@cs.ucla.edu>
+        * xselect.c: Integer and memory overflow issues.
+        (X_LONG_SIZE, X_USHRT_MAX, X_ULONG_MAX): New macros.
+        Use them to make the following changes clearer.
+        (MAX_SELECTION_QUANTUM): Make the other bounds on this value clearer.
+        This change doesn't affect the value now, but it may help remind
+        future maintainers not to raise the value too much later.
+        (SELECTION_QUANTUM): Remove, replacing with ...
+        (selection_quantum): ... new function, which avoids overflow.
+        All uses changed.
+        (struct selection_data.size): Now ptrdiff_t, not int, to avoid
+        assumption that selection length fits in 'int'.
+        (x_reply_selection_request, x_handle_selection_request)
+        (x_get_window_property, receive_incremental_selection)
+        (x_get_window_property_as_lisp_data, selection_data_to_lisp_data)
+        (lisp_data_to_selection_data, clean_local_selection_data):
+        Use ptrdiff_t, not int, to record length of selection.
+        (x_reply_selection_request, x_get_window_property)
+        (receive_incremental_selection, x_property_data_to_lisp):
+        Redo calculations to avoid overflow.
+        (x_reply_selection_request): When sending hint, ceiling it at
+        X_ULONG_MAX rather than relying on wraparound overflow to send
+        something.
+        (x_get_window_property, receive_incremental_selection)
+        (lisp_data_to_selection_data, x_property_data_to_lisp):
+        Check for size-calculation overflow.
+        (x_get_window_property, receive_incremental_selection)
+        (lisp_data_to_selection_data, Fx_register_dnd_atom):
+        Don't store size until memory allocation succeeds.
+        (x_get_window_property): Plug memory leak on memory exhaustion.
+        Don't double-block input; malloc is safe here.  Don't assume 2**34
+        - 4 fits in unsigned long.  Add an xassert to check
+        XGetWindowProperty overflow.  Be more careful about overflow
+        calculations, and distinguish size from memory overflow better.
+        (receive_incremental_selection): When tracing, don't assume
+        unsigned int is less than INT_MAX.
+        (x_selection_data_to_lisp_data): Remove unnecessary (and in theory
+        harmful) conversions of unsigned short to int.
+        (lisp_data_to_selection_data): Don't assume that integers
+        in the range -65535 through -1 fit in an X unsigned short.
+        Don't assume that ULONG_MAX == X_ULONG_MAX.  Don't store into
+        result parameters unless successful.  Rely on cons_to_unsigned
+        to report problems with elements; the old code wasn't right anyway.
+        (x_check_property_data): Check for int overflow; we cannot use
+        a wider type due to X limits.
+        (x_handle_dnd_message): Use unsigned int, to avoid int overflow.
        * xrdb.c: Integer and memory overflow issues.
        (magic_file_p): Plug memory leak on size overflow.
        (get_environ_db): Don't assume path length fits in int,
author	Paul Eggert	2011-07-28 22:08:30 -0700
committer	Paul Eggert	2011-07-28 22:08:30 -0700
commit	864d7ce76d118b7bc157176a03a0a8a1b02fd989 (patch)
tree	0b7a4cb6cb22ace9f19c313b3b966b3d56878791 /src/ChangeLog
parent	a3d9c2a4ce11ea001c9ac97c8a6fb9a4f9a1d1ac (diff)
download	emacs-864d7ce76d118b7bc157176a03a0a8a1b02fd989.tar.gz emacs-864d7ce76d118b7bc157176a03a0a8a1b02fd989.zip

diff --git a/src/ChangeLog b/src/ChangeLog index 09ee5a8e4dc..f8e5ca78b33 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,5 +1,51 @@
1	2011-07-29 Paul Eggert <eggert@cs.ucla.edu>	1	2011-07-29 Paul Eggert <eggert@cs.ucla.edu>
2		2
		3	* xselect.c: Integer and memory overflow issues.
		4	(X_LONG_SIZE, X_USHRT_MAX, X_ULONG_MAX): New macros.
		5	Use them to make the following changes clearer.
		6	(MAX_SELECTION_QUANTUM): Make the other bounds on this value clearer.
		7	This change doesn't affect the value now, but it may help remind
		8	future maintainers not to raise the value too much later.
		9	(SELECTION_QUANTUM): Remove, replacing with ...
		10	(selection_quantum): ... new function, which avoids overflow.
		11	All uses changed.
		12	(struct selection_data.size): Now ptrdiff_t, not int, to avoid
		13	assumption that selection length fits in 'int'.
		14	(x_reply_selection_request, x_handle_selection_request)
		15	(x_get_window_property, receive_incremental_selection)
		16	(x_get_window_property_as_lisp_data, selection_data_to_lisp_data)
		17	(lisp_data_to_selection_data, clean_local_selection_data):
		18	Use ptrdiff_t, not int, to record length of selection.
		19	(x_reply_selection_request, x_get_window_property)
		20	(receive_incremental_selection, x_property_data_to_lisp):
		21	Redo calculations to avoid overflow.
		22	(x_reply_selection_request): When sending hint, ceiling it at
		23	X_ULONG_MAX rather than relying on wraparound overflow to send
		24	something.
		25	(x_get_window_property, receive_incremental_selection)
		26	(lisp_data_to_selection_data, x_property_data_to_lisp):
		27	Check for size-calculation overflow.
		28	(x_get_window_property, receive_incremental_selection)
		29	(lisp_data_to_selection_data, Fx_register_dnd_atom):
		30	Don't store size until memory allocation succeeds.
		31	(x_get_window_property): Plug memory leak on memory exhaustion.
		32	Don't double-block input; malloc is safe here. Don't assume 2**34
		33	- 4 fits in unsigned long. Add an xassert to check
		34	XGetWindowProperty overflow. Be more careful about overflow
		35	calculations, and distinguish size from memory overflow better.
		36	(receive_incremental_selection): When tracing, don't assume
		37	unsigned int is less than INT_MAX.
		38	(x_selection_data_to_lisp_data): Remove unnecessary (and in theory
		39	harmful) conversions of unsigned short to int.
		40	(lisp_data_to_selection_data): Don't assume that integers
		41	in the range -65535 through -1 fit in an X unsigned short.
		42	Don't assume that ULONG_MAX == X_ULONG_MAX. Don't store into
		43	result parameters unless successful. Rely on cons_to_unsigned
		44	to report problems with elements; the old code wasn't right anyway.
		45	(x_check_property_data): Check for int overflow; we cannot use
		46	a wider type due to X limits.
		47	(x_handle_dnd_message): Use unsigned int, to avoid int overflow.
		48
3	* xrdb.c: Integer and memory overflow issues.	49	* xrdb.c: Integer and memory overflow issues.
4	(magic_file_p): Plug memory leak on size overflow.	50	(magic_file_p): Plug memory leak on size overflow.
5	(get_environ_db): Don't assume path length fits in int,	51	(get_environ_db): Don't assume path length fits in int,