Fix bool vector length overflow

* src/alloc.c (make_clear_bool_vector): It’s now the caller’s responsibility to make sure the bool vector length is in range. Add an eassert to double-check this. This lets some locals be ptrdiff_t not EMACS_INT. (Fmake_bool_vector, Fbool_vector): Check that bool vector lengths are in range. * src/lisp.h (BOOL_VECTOR_LENGTH_MAX): New macro. (bool_vector_words, bool_vector_bytes): Avoid undefined behavior if size == EMACS_INT_MAX - (BITS_PER_BITS_WORD - 1). This is mostly theoretical but it’s easy to do it right. * src/lread.c (read_bool_vector): Use EMACS_INT, not just ptrdiff_t. Check that length doesn’t exceed BOOL_VECTOR_LENGTH_MAX. This fixes an unlikely integer overflow where the calculated size went negative.
author: Paul Eggert 2024-07-20 15:52:05 -0700
committer: Paul Eggert 2024-07-20 16:16:22 -0700
commit: 515e5ad0de133f0a3d501bd6290ccc51d8462955 (patch)
tree: 620ff4a699eab76b3bcb441b5507b87854f00097 /src/alloc.c
parent: 76497a01425e19a6c3a02c1e3031061fa0e7885b (diff)
download: emacs-515e5ad0de133f0a3d501bd6290ccc51d8462955.tar.gz
emacs-515e5ad0de133f0a3d501bd6290ccc51d8462955.zip
1 files changed, 10 insertions, 6 deletions
diff --git a/src/alloc.c b/src/alloc.c
index 41679b52707..48b170b866f 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -2413,14 +2413,13 @@ bool_vector_fill (Lisp_Object a, Lisp_Object init)
 Lisp_Object
 make_clear_bool_vector (EMACS_INT nbits, bool clearit)
 {
+  eassert (0 <= nbits && nbits <= BOOL_VECTOR_LENGTH_MAX);
  Lisp_Object val;
-  EMACS_INT words = bool_vector_words (nbits);
+  ptrdiff_t words = bool_vector_words (nbits);
-  EMACS_INT word_bytes = words * sizeof (bits_word);
+  ptrdiff_t word_bytes = words * sizeof (bits_word);
-  EMACS_INT needed_elements = ((bool_header_size - header_size + word_bytes
+  ptrdiff_t needed_elements = ((bool_header_size - header_size + word_bytes
                                + word_size - 1)
                               / word_size);
-  if (PTRDIFF_MAX < needed_elements)
-    memory_full (SIZE_MAX);
  struct Lisp_Bool_Vector *p
    = (struct Lisp_Bool_Vector *) allocate_clear_vector (needed_elements,
                                                         clearit);
@@ -2449,7 +2448,10 @@ LENGTH must be a number.  INIT matters only in whether it is t or nil.  */)
  (Lisp_Object length, Lisp_Object init)
 {
  CHECK_FIXNAT (length);
-  Lisp_Object val = make_clear_bool_vector (XFIXNAT (length), NILP (init));
+  EMACS_INT len = XFIXNAT (length);
+  if (BOOL_VECTOR_LENGTH_MAX < len)
+    memory_full (SIZE_MAX);
+  Lisp_Object val = make_clear_bool_vector (len, NILP (init));
  return NILP (init) ? val : bool_vector_fill (val, init);
 }
@@ -2459,6 +2461,8 @@ Allows any number of arguments, including zero.
 usage: (bool-vector &rest OBJECTS)  */)
  (ptrdiff_t nargs, Lisp_Object *args)
 {
+  if (BOOL_VECTOR_LENGTH_MAX < nargs)
+    memory_full (SIZE_MAX);
  Lisp_Object vector = make_clear_bool_vector (nargs, true);
  for (ptrdiff_t i = 0; i < nargs; i++)
    if (!NILP (args[i]))
author	Paul Eggert	2024-07-20 15:52:05 -0700
committer	Paul Eggert	2024-07-20 16:16:22 -0700
commit	515e5ad0de133f0a3d501bd6290ccc51d8462955 (patch)
tree	620ff4a699eab76b3bcb441b5507b87854f00097 /src/alloc.c
parent	76497a01425e19a6c3a02c1e3031061fa0e7885b (diff)
download	emacs-515e5ad0de133f0a3d501bd6290ccc51d8462955.tar.gz emacs-515e5ad0de133f0a3d501bd6290ccc51d8462955.zip