Integer and memory overflow fixes for display code.

* dispextern.h (struct glyph_pool.nglyphs): Now ptrdiff_t, not int.
* dispnew.c (adjust_glyph_matrix, realloc_glyph_pool, scrolling_window):
Check for overflow in size calculations.
(line_draw_cost, realloc_glyph_pool, add_row_entry):
Don't assume glyph table len fits in int.
(struct row_entry.bucket, row_entry_pool_size, row_entry_idx)
(row_table_size): Now ptrdiff_t, not int.
(scrolling_window): Avoid overflow in size calculations.
Don't update size until allocation succeeds.
* fns.c (concat): Check for overflow in size calculations.
(next_almost_prime): Verify NEXT_ALMOST_PRIME_LIMIT.
* lisp.h (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): New macros.
(NEXT_ALMOST_PRIME_LIMIT): New constant.

1 files changed, 9 insertions, 2 deletions

diff --git a/src/fns.c b/src/fns.c
index fdaffe947ac..e5538d6acbc 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -602,7 +602,12 @@ concat (ptrdiff_t nargs, Lisp_Object *args,
 
   prev = Qnil;
   if (STRINGP (val))
-    SAFE_ALLOCA (textprops, struct textprop_rec *, sizeof (struct textprop_rec) * nargs);
+    {
+      if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *textprops < nargs)
+        memory_full (SIZE_MAX);
+      SAFE_ALLOCA (textprops, struct textprop_rec *,
+                   sizeof *textprops * nargs);
+    }
 
   for (argnum = 0; argnum < nargs; argnum++)
     {
@@ -3395,11 +3400,13 @@ check_hash_table (Lisp_Object obj)
 
 
 /* Value is the next integer I >= N, N >= 0 which is "almost" a prime
-   number.  */
+   number.  A number is "almost" a prime number if it is not divisible
+   by any integer in the range 2 .. (NEXT_ALMOST_PRIME_LIMIT - 1).  */
 
 EMACS_INT
 next_almost_prime (EMACS_INT n)
 {
+  verify (NEXT_ALMOST_PRIME_LIMIT == 11);
   for (n |= 1; ; n += 2)
     if (n % 3 != 0 && n % 5 != 0 && n % 7 != 0)
       return n;