Fix integer overflow in oversize vectors

* src/alloc.c (allocate_vector): Fix integer overflow when allocating very large vectors, by taking large_vector_offset into account. Assume C99.
author: Paul Eggert 2018-12-08 10:47:38 -0800
committer: Paul Eggert 2018-12-08 10:50:15 -0800
commit: a65c0929ebd6f1980fe0f493a7d623aac63a34bd (patch)
tree: 7eef34fdd9bc10e00b9d01017b6bc6c9f0f245ad /src/alloc.c
parent: 9b099ce56b0a5a952c096568c28b1007d321ee24 (diff)
download: emacs-a65c0929ebd6f1980fe0f493a7d623aac63a34bd.tar.gz
emacs-a65c0929ebd6f1980fe0f493a7d623aac63a34bd.zip
1 files changed, 4 insertions, 5 deletions
diff --git a/src/alloc.c b/src/alloc.c
index 596de3af85e..8eaa810e53a 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -3388,12 +3388,11 @@ allocate_vectorlike (ptrdiff_t len)
 struct Lisp_Vector *
 allocate_vector (EMACS_INT len)
 {
-  struct Lisp_Vector *v;
+  ptrdiff_t wordbytes_max = (min (PTRDIFF_MAX, SIZE_MAX)
-  ptrdiff_t nbytes_max = min (PTRDIFF_MAX, SIZE_MAX);
+                             - header_size - large_vector_offset);
+  if (min (wordbytes_max / word_size, MOST_POSITIVE_FIXNUM) < len)
-  if (min ((nbytes_max - header_size) / word_size, MOST_POSITIVE_FIXNUM) < len)
    memory_full (SIZE_MAX);
-  v = allocate_vectorlike (len);
+  struct Lisp_Vector *v = allocate_vectorlike (len);
  if (len)
    v->header.size = len;
  return v;
author	Paul Eggert	2018-12-08 10:47:38 -0800
committer	Paul Eggert	2018-12-08 10:50:15 -0800
commit	a65c0929ebd6f1980fe0f493a7d623aac63a34bd (patch)
tree	7eef34fdd9bc10e00b9d01017b6bc6c9f0f245ad /src/alloc.c
parent	9b099ce56b0a5a952c096568c28b1007d321ee24 (diff)
download	emacs-a65c0929ebd6f1980fe0f493a7d623aac63a34bd.tar.gz emacs-a65c0929ebd6f1980fe0f493a7d623aac63a34bd.zip

diff --git a/src/alloc.c b/src/alloc.c index 596de3af85e..8eaa810e53a 100644 --- a/src/alloc.c +++ b/src/alloc.c
@@ -3388,12 +3388,11 @@ allocate_vectorlike (ptrdiff_t len)
3388	struct Lisp_Vector *	3388	struct Lisp_Vector *
3389	allocate_vector (EMACS_INT len)	3389	allocate_vector (EMACS_INT len)
3390	{	3390	{
3391	struct Lisp_Vector *v;	3391	ptrdiff_t wordbytes_max = (min (PTRDIFF_MAX, SIZE_MAX)
3392	ptrdiff_t nbytes_max = min (PTRDIFF_MAX, SIZE_MAX);	3392	- header_size - large_vector_offset);
3393		3393	if (min (wordbytes_max / word_size, MOST_POSITIVE_FIXNUM) < len)
3394	if (min ((nbytes_max - header_size) / word_size, MOST_POSITIVE_FIXNUM) < len)
3395	memory_full (SIZE_MAX);	3394	memory_full (SIZE_MAX);
3396	v = allocate_vectorlike (len);	3395	struct Lisp_Vector *v = allocate_vectorlike (len);
3397	if (len)	3396	if (len)
3398	v->header.size = len;	3397	v->header.size = len;
3399	return v;	3398	return v;