diff options
| author | Paul Eggert | 2014-09-07 00:04:01 -0700 |
|---|---|---|
| committer | Paul Eggert | 2014-09-07 00:04:01 -0700 |
| commit | b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d (patch) | |
| tree | cf138164e4f8887394f52cb22da594d1713da316 /src/coding.c | |
| parent | 930fb80f9e2815e599eb1de699668d42e305fa21 (diff) | |
| download | emacs-b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d.tar.gz emacs-b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d.zip | |
Use SAFE_ALLOCA etc. to avoid unbounded stack allocation.
This follows up on the recent thread in emacs-devel on alloca; see:
http://lists.gnu.org/archive/html/emacs-devel/2014-09/msg00042.html
This patch also cleans up alloca-related glitches noted while
examining the code looking for unbounded alloca.
* alloc.c (listn):
* callproc.c (init_callproc):
Rewrite to avoid need for alloca.
* buffer.c (mouse_face_overlay_overlaps)
(report_overlay_modification):
* buffer.h (GET_OVERLAYS_AT):
* coding.c (make_subsidiaries):
* doc.c (Fsnarf_documentation):
* editfns.c (Fuser_full_name):
* fileio.c (Ffile_name_directory, Fexpand_file_name)
(search_embedded_absfilename, Fsubstitute_in_file_name):
* fns.c (Fmake_hash_table):
* font.c (font_vconcat_entity_vectors, font_update_drivers):
* fontset.c (fontset_pattern_regexp, Ffontset_info):
* frame.c (Fmake_terminal_frame, x_set_frame_parameters)
(xrdb_get_resource, x_get_resource_string):
* ftfont.c (ftfont_get_charset, ftfont_check_otf, ftfont_drive_otf):
* ftxfont.c (ftxfont_draw):
* image.c (xbm_load, xpm_load, jpeg_load_body):
* keyboard.c (echo_add_key, menu_bar_items, tool_bar_items):
* keymap.c (Fdescribe_buffer_bindings, describe_map):
* lread.c (openp):
* menu.c (digest_single_submenu, find_and_call_menu_selection)
(find_and_return_menu_selection):
* print.c (PRINTFINISH):
* process.c (Fformat_network_address):
* scroll.c (do_scrolling, do_direct_scrolling, scrolling_1):
* search.c (search_buffer, Fmatch_data, Fregexp_quote):
* sound.c (wav_play, au_play):
* syntax.c (skip_chars):
* term.c (tty_menu_activate, tty_menu_show):
* textprop.c (get_char_property_and_overlay):
* window.c (Fset_window_configuration):
* xdisp.c (safe__call, next_overlay_change, vmessage)
(compute_overhangs_and_x, draw_glyphs, note_mouse_highlight):
* xfaces.c (face_at_buffer_position):
* xmenu.c (x_menu_show):
Use SAFE_ALLOCA etc. instead of plain alloca, since the
allocation size isn't bounded.
* callint.c (Fcall_interactively): Redo memory_full check
so that it can be done at compile-time on some platforms.
* coding.c (MAX_LOOKUP_MAX): New constant.
(get_translation_table): Use it.
* callproc.c (call_process): Use SAFE_NALLOCA instead of
SAFE_ALLOCA, to catch integer overflows on size calculation.
(exec_failed) [!DOS_NT]: New function.
(child_setup) [!DOS_NT]: Use it.
* editfns.c (Ftranspose_regions):
Hoist USE_SAFE_ALLOC + SAFE_FREE out of 'if'.
* editfns.c (check_translation):
Allocate larger buffers on the heap.
* eval.c (internal_lisp_condition_case):
Check for MAX_ALLOCA overflow.
* fns.c (sort_vector): Use SAFE_ALLOCA_LISP rather than Fmake_vector.
(Fbase64_encode_region, Fbase64_decode_region):
Avoid unnecessary calls to SAFE_FREE before 'error'.
* buffer.c (mouse_face_overlay_overlaps):
* editfns.c (Fget_pos_property, check_translation):
* eval.c (Ffuncall):
* font.c (font_unparse_xlfd, font_find_for_lface):
* ftfont.c (ftfont_drive_otf):
* keyboard.c (echo_add_key, read_decoded_event_from_main_queue)
(menu_bar_items, tool_bar_items):
* sound.c (Fplay_sound_internal):
* xdisp.c (load_overlay_strings, dump_glyph_row):
Use an ordinary auto buffer rather than alloca, since the
allocation size is fixed and small.
* ftfont.c: Include <c-strcase.h>.
(matching_prefix): New function.
(get_adstyle_property): Use it, to avoid need for alloca.
* keyboard.c (echo_add_key):
* keymap.c (describe_map): Use ptrdiff_t, not int.
* keyboard.c (echo_add_key): Prefer sizeof to strlen.
* keymap.c (Fdescribe_buffer_bindings): Use SBYTES, not SCHARS,
when counting bytes.
* lisp.h (xlispstrdupa): Remove, replacing with ...
(SAFE_ALLOCA_STRING): ... new macro with different API.
This fixes a portability problem, namely, alloca result
passed to another function. All uses changed.
(SAFE_ALLOCA, SAFE_ALLOCA_LISP): Check for MAX_ALLOCA,
not MAX_ALLOCA - 1.
* regex.c (REGEX_USE_SAFE_ALLOCA, REGEX_SAFE_FREE)
(REGEX_ALLOCATE): New macros.
(REGEX_REALLOCATE, REGEX_ALLOCATE_STACK, REGEX_REALLOCATE_STACK)
(REGEX_FREE_STACK, FREE_VARIABLES, re_match_2_internal):
Use them.
* xdisp.c (message3): Use SAFE_ALLOCA_STRING rather than doing it
by hand.
(decode_mode_spec_coding): Store directly into buf rather than
into an alloca temporary and copying the temporary to the buf.
Fixes: debbugs:18410
Diffstat (limited to 'src/coding.c')
| -rw-r--r-- | src/coding.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/coding.c b/src/coding.c index 8b620af8695..84b774b4355 100644 --- a/src/coding.c +++ b/src/coding.c | |||
| @@ -6867,6 +6867,11 @@ decode_eol (struct coding_system *coding) | |||
| 6867 | } | 6867 | } |
| 6868 | 6868 | ||
| 6869 | 6869 | ||
| 6870 | /* MAX_LOOKUP's maximum value. MAX_LOOKUP is an int and so cannot | ||
| 6871 | exceed INT_MAX. Also, MAX_LOOKUP is multiplied by sizeof (int) for | ||
| 6872 | alloca, so it cannot exceed MAX_ALLOCA / sizeof (int). */ | ||
| 6873 | enum { MAX_LOOKUP_MAX = min (INT_MAX, MAX_ALLOCA / sizeof (int)) }; | ||
| 6874 | |||
| 6870 | /* Return a translation table (or list of them) from coding system | 6875 | /* Return a translation table (or list of them) from coding system |
| 6871 | attribute vector ATTRS for encoding (if ENCODEP) or decoding (if | 6876 | attribute vector ATTRS for encoding (if ENCODEP) or decoding (if |
| 6872 | not ENCODEP). */ | 6877 | not ENCODEP). */ |
| @@ -6919,7 +6924,7 @@ get_translation_table (Lisp_Object attrs, bool encodep, int *max_lookup) | |||
| 6919 | { | 6924 | { |
| 6920 | val = XCHAR_TABLE (translation_table)->extras[1]; | 6925 | val = XCHAR_TABLE (translation_table)->extras[1]; |
| 6921 | if (NATNUMP (val) && *max_lookup < XFASTINT (val)) | 6926 | if (NATNUMP (val) && *max_lookup < XFASTINT (val)) |
| 6922 | *max_lookup = XFASTINT (val); | 6927 | *max_lookup = min (XFASTINT (val), MAX_LOOKUP_MAX); |
| 6923 | } | 6928 | } |
| 6924 | else if (CONSP (translation_table)) | 6929 | else if (CONSP (translation_table)) |
| 6925 | { | 6930 | { |
| @@ -6931,7 +6936,7 @@ get_translation_table (Lisp_Object attrs, bool encodep, int *max_lookup) | |||
| 6931 | { | 6936 | { |
| 6932 | Lisp_Object tailval = XCHAR_TABLE (XCAR (tail))->extras[1]; | 6937 | Lisp_Object tailval = XCHAR_TABLE (XCAR (tail))->extras[1]; |
| 6933 | if (NATNUMP (tailval) && *max_lookup < XFASTINT (tailval)) | 6938 | if (NATNUMP (tailval) && *max_lookup < XFASTINT (tailval)) |
| 6934 | *max_lookup = XFASTINT (tailval); | 6939 | *max_lookup = min (XFASTINT (tailval), MAX_LOOKUP_MAX); |
| 6935 | } | 6940 | } |
| 6936 | } | 6941 | } |
| 6937 | } | 6942 | } |
| @@ -10011,7 +10016,8 @@ make_subsidiaries (Lisp_Object base) | |||
| 10011 | { | 10016 | { |
| 10012 | Lisp_Object subsidiaries; | 10017 | Lisp_Object subsidiaries; |
| 10013 | ptrdiff_t base_name_len = SBYTES (SYMBOL_NAME (base)); | 10018 | ptrdiff_t base_name_len = SBYTES (SYMBOL_NAME (base)); |
| 10014 | char *buf = alloca (base_name_len + 6); | 10019 | USE_SAFE_ALLOCA; |
| 10020 | char *buf = SAFE_ALLOCA (base_name_len + 6); | ||
| 10015 | int i; | 10021 | int i; |
| 10016 | 10022 | ||
| 10017 | memcpy (buf, SDATA (SYMBOL_NAME (base)), base_name_len); | 10023 | memcpy (buf, SDATA (SYMBOL_NAME (base)), base_name_len); |
| @@ -10021,6 +10027,7 @@ make_subsidiaries (Lisp_Object base) | |||
| 10021 | strcpy (buf + base_name_len, suffixes[i]); | 10027 | strcpy (buf + base_name_len, suffixes[i]); |
| 10022 | ASET (subsidiaries, i, intern (buf)); | 10028 | ASET (subsidiaries, i, intern (buf)); |
| 10023 | } | 10029 | } |
| 10030 | SAFE_FREE (); | ||
| 10024 | return subsidiaries; | 10031 | return subsidiaries; |
| 10025 | } | 10032 | } |
| 10026 | 10033 | ||