diff options
| author | Paul Eggert | 2011-07-28 13:28:33 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-07-28 13:28:33 -0700 |
| commit | 6e1fc4528b8dcb84ba7d173f6c350cfba5385634 (patch) | |
| tree | 26c7a743d214aa54860fb62a689ba311d7ffc646 /src/buffer.c | |
| parent | bc18e09ddf639fbd59e6d2ef238fdaf4e31fb6a3 (diff) | |
| download | emacs-6e1fc4528b8dcb84ba7d173f6c350cfba5385634.tar.gz emacs-6e1fc4528b8dcb84ba7d173f6c350cfba5385634.zip | |
* buffer.c: Memory overflow fixes.
(overlays_at, overlays_in, record_overlay_string, overlay_strings):
Don't update size of array until after memory allocation succeeds,
because xmalloc/xrealloc may not return.
Diffstat (limited to 'src/buffer.c')
| -rw-r--r-- | src/buffer.c | 21 |
1 files changed, 9 insertions, 12 deletions
diff --git a/src/buffer.c b/src/buffer.c index a40275db8de..fc9d3b5bd40 100644 --- a/src/buffer.c +++ b/src/buffer.c | |||
| @@ -2572,9 +2572,9 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr, | |||
| 2572 | memory_full (SIZE_MAX); | 2572 | memory_full (SIZE_MAX); |
| 2573 | /* Make it work with an initial len == 0. */ | 2573 | /* Make it work with an initial len == 0. */ |
| 2574 | len = len * 2 + 4; | 2574 | len = len * 2 + 4; |
| 2575 | *len_ptr = len; | ||
| 2576 | vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); | 2575 | vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); |
| 2577 | *vec_ptr = vec; | 2576 | *vec_ptr = vec; |
| 2577 | *len_ptr = len; | ||
| 2578 | } | 2578 | } |
| 2579 | else | 2579 | else |
| 2580 | inhibit_storing = 1; | 2580 | inhibit_storing = 1; |
| @@ -2615,9 +2615,9 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr, | |||
| 2615 | memory_full (SIZE_MAX); | 2615 | memory_full (SIZE_MAX); |
| 2616 | /* Make it work with an initial len == 0. */ | 2616 | /* Make it work with an initial len == 0. */ |
| 2617 | len = len * 2 + 4; | 2617 | len = len * 2 + 4; |
| 2618 | *len_ptr = len; | ||
| 2619 | vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); | 2618 | vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); |
| 2620 | *vec_ptr = vec; | 2619 | *vec_ptr = vec; |
| 2620 | *len_ptr = len; | ||
| 2621 | } | 2621 | } |
| 2622 | else | 2622 | else |
| 2623 | inhibit_storing = 1; | 2623 | inhibit_storing = 1; |
| @@ -2712,9 +2712,9 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend, | |||
| 2712 | memory_full (SIZE_MAX); | 2712 | memory_full (SIZE_MAX); |
| 2713 | /* Make it work with an initial len == 0. */ | 2713 | /* Make it work with an initial len == 0. */ |
| 2714 | len = len * 2 + 4; | 2714 | len = len * 2 + 4; |
| 2715 | *len_ptr = len; | ||
| 2716 | vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); | 2715 | vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); |
| 2717 | *vec_ptr = vec; | 2716 | *vec_ptr = vec; |
| 2717 | *len_ptr = len; | ||
| 2718 | } | 2718 | } |
| 2719 | else | 2719 | else |
| 2720 | inhibit_storing = 1; | 2720 | inhibit_storing = 1; |
| @@ -2760,9 +2760,9 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend, | |||
| 2760 | memory_full (SIZE_MAX); | 2760 | memory_full (SIZE_MAX); |
| 2761 | /* Make it work with an initial len == 0. */ | 2761 | /* Make it work with an initial len == 0. */ |
| 2762 | len = len * 2 + 4; | 2762 | len = len * 2 + 4; |
| 2763 | *len_ptr = len; | ||
| 2764 | vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); | 2763 | vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); |
| 2765 | *vec_ptr = vec; | 2764 | *vec_ptr = vec; |
| 2765 | *len_ptr = len; | ||
| 2766 | } | 2766 | } |
| 2767 | else | 2767 | else |
| 2768 | inhibit_storing = 1; | 2768 | inhibit_storing = 1; |
| @@ -2978,15 +2978,12 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str, | |||
| 2978 | 2978 | ||
| 2979 | if (ssl->used == ssl->size) | 2979 | if (ssl->used == ssl->size) |
| 2980 | { | 2980 | { |
| 2981 | if (min (PTRDIFF_MAX, SIZE_MAX) / (sizeof (struct sortstr) * 2) | 2981 | ptrdiff_t ssl_size = 0 < ssl->size ? ssl->size * 2 : 5; |
| 2982 | < ssl->size) | 2982 | if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (struct sortstr) < ssl_size) |
| 2983 | memory_full (SIZE_MAX); | 2983 | memory_full (SIZE_MAX); |
| 2984 | else if (0 < ssl->size) | ||
| 2985 | ssl->size *= 2; | ||
| 2986 | else | ||
| 2987 | ssl->size = 5; | ||
| 2988 | ssl->buf = ((struct sortstr *) | 2984 | ssl->buf = ((struct sortstr *) |
| 2989 | xrealloc (ssl->buf, ssl->size * sizeof (struct sortstr))); | 2985 | xrealloc (ssl->buf, ssl_size * sizeof (struct sortstr))); |
| 2986 | ssl->size = ssl_size; | ||
| 2990 | } | 2987 | } |
| 2991 | ssl->buf[ssl->used].string = str; | 2988 | ssl->buf[ssl->used].string = str; |
| 2992 | ssl->buf[ssl->used].string2 = str2; | 2989 | ssl->buf[ssl->used].string2 = str2; |
| @@ -3111,9 +3108,9 @@ overlay_strings (EMACS_INT pos, struct window *w, unsigned char **pstr) | |||
| 3111 | 3108 | ||
| 3112 | if (total > overlay_str_len) | 3109 | if (total > overlay_str_len) |
| 3113 | { | 3110 | { |
| 3114 | overlay_str_len = total; | ||
| 3115 | overlay_str_buf = (unsigned char *)xrealloc (overlay_str_buf, | 3111 | overlay_str_buf = (unsigned char *)xrealloc (overlay_str_buf, |
| 3116 | total); | 3112 | total); |
| 3113 | overlay_str_len = total; | ||
| 3117 | } | 3114 | } |
| 3118 | p = overlay_str_buf; | 3115 | p = overlay_str_buf; |
| 3119 | for (i = overlay_tails.used; --i >= 0;) | 3116 | for (i = overlay_tails.used; --i >= 0;) |