Use SAFE_ALLOCA etc. to avoid unbounded stack allocation.

This follows up on the recent thread in emacs-devel on alloca; see:
http://lists.gnu.org/archive/html/emacs-devel/2014-09/msg00042.html
This patch also cleans up alloca-related glitches noted while
examining the code looking for unbounded alloca.
* alloc.c (listn):
* callproc.c (init_callproc):
Rewrite to avoid need for alloca.
* buffer.c (mouse_face_overlay_overlaps)
(report_overlay_modification):
* buffer.h (GET_OVERLAYS_AT):
* coding.c (make_subsidiaries):
* doc.c (Fsnarf_documentation):
* editfns.c (Fuser_full_name):
* fileio.c (Ffile_name_directory, Fexpand_file_name)
(search_embedded_absfilename, Fsubstitute_in_file_name):
* fns.c (Fmake_hash_table):
* font.c (font_vconcat_entity_vectors, font_update_drivers):
* fontset.c (fontset_pattern_regexp, Ffontset_info):
* frame.c (Fmake_terminal_frame, x_set_frame_parameters)
(xrdb_get_resource, x_get_resource_string):
* ftfont.c (ftfont_get_charset, ftfont_check_otf, ftfont_drive_otf):
* ftxfont.c (ftxfont_draw):
* image.c (xbm_load, xpm_load, jpeg_load_body):
* keyboard.c (echo_add_key, menu_bar_items, tool_bar_items):
* keymap.c (Fdescribe_buffer_bindings, describe_map):
* lread.c (openp):
* menu.c (digest_single_submenu, find_and_call_menu_selection)
(find_and_return_menu_selection):
* print.c (PRINTFINISH):
* process.c (Fformat_network_address):
* scroll.c (do_scrolling, do_direct_scrolling, scrolling_1):
* search.c (search_buffer, Fmatch_data, Fregexp_quote):
* sound.c (wav_play, au_play):
* syntax.c (skip_chars):
* term.c (tty_menu_activate, tty_menu_show):
* textprop.c (get_char_property_and_overlay):
* window.c (Fset_window_configuration):
* xdisp.c (safe__call, next_overlay_change, vmessage)
(compute_overhangs_and_x, draw_glyphs, note_mouse_highlight):
* xfaces.c (face_at_buffer_position):
* xmenu.c (x_menu_show):
Use SAFE_ALLOCA etc. instead of plain alloca, since the
allocation size isn't bounded.
* callint.c (Fcall_interactively): Redo memory_full check
so that it can be done at compile-time on some platforms.
* coding.c (MAX_LOOKUP_MAX): New constant.
(get_translation_table): Use it.
* callproc.c (call_process): Use SAFE_NALLOCA instead of
SAFE_ALLOCA, to catch integer overflows on size calculation.
(exec_failed) [!DOS_NT]: New function.
(child_setup) [!DOS_NT]: Use it.
* editfns.c (Ftranspose_regions):
Hoist USE_SAFE_ALLOC + SAFE_FREE out of 'if'.
* editfns.c (check_translation):
Allocate larger buffers on the heap.
* eval.c (internal_lisp_condition_case):
Check for MAX_ALLOCA overflow.
* fns.c (sort_vector): Use SAFE_ALLOCA_LISP rather than Fmake_vector.
(Fbase64_encode_region, Fbase64_decode_region):
Avoid unnecessary calls to SAFE_FREE before 'error'.
* buffer.c (mouse_face_overlay_overlaps):
* editfns.c (Fget_pos_property, check_translation):
* eval.c (Ffuncall):
* font.c (font_unparse_xlfd, font_find_for_lface):
* ftfont.c (ftfont_drive_otf):
* keyboard.c (echo_add_key, read_decoded_event_from_main_queue)
(menu_bar_items, tool_bar_items):
* sound.c (Fplay_sound_internal):
* xdisp.c (load_overlay_strings, dump_glyph_row):
Use an ordinary auto buffer rather than alloca, since the
allocation size is fixed and small.
* ftfont.c: Include <c-strcase.h>.
(matching_prefix): New function.
(get_adstyle_property): Use it, to avoid need for alloca.
* keyboard.c (echo_add_key):
* keymap.c (describe_map): Use ptrdiff_t, not int.
* keyboard.c (echo_add_key): Prefer sizeof to strlen.
* keymap.c (Fdescribe_buffer_bindings): Use SBYTES, not SCHARS,
when counting bytes.
* lisp.h (xlispstrdupa): Remove, replacing with ...
(SAFE_ALLOCA_STRING): ... new macro with different API.
This fixes a portability problem, namely, alloca result
passed to another function.  All uses changed.
(SAFE_ALLOCA, SAFE_ALLOCA_LISP): Check for MAX_ALLOCA,
not MAX_ALLOCA - 1.
* regex.c (REGEX_USE_SAFE_ALLOCA, REGEX_SAFE_FREE)
(REGEX_ALLOCATE): New macros.
(REGEX_REALLOCATE, REGEX_ALLOCATE_STACK, REGEX_REALLOCATE_STACK)
(REGEX_FREE_STACK, FREE_VARIABLES, re_match_2_internal):
Use them.
* xdisp.c (message3): Use SAFE_ALLOCA_STRING rather than doing it
by hand.
(decode_mode_spec_coding): Store directly into buf rather than
into an alloca temporary and copying the temporary to the buf.

Fixes: debbugs:18410

1 files changed, 75 insertions, 36 deletions

diff --git a/src/ftfont.c b/src/ftfont.c
index 1cad158065b..0ab3119365e 100644
--- a/src/ftfont.c
+++ b/src/ftfont.c
@@ -24,6 +24,8 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
 #include <fontconfig/fontconfig.h>
 #include <fontconfig/fcfreetype.h>
 
+#include <c-strcase.h>
+
 #include "lisp.h"
 #include "dispextern.h"
 #include "frame.h"
@@ -140,6 +142,12 @@ static struct
     { NULL }
   };
 
+static bool
+matching_prefix (char const *str, ptrdiff_t len, char const *pat)
+{
+  return len == strlen (pat) && c_strncasecmp (str, pat, len) == 0;
+}
+
 /* Dirty hack for handing ADSTYLE property.
 
    Fontconfig (actually the underlying FreeType) gives such ADSTYLE
@@ -171,18 +179,10 @@ get_adstyle_property (FcPattern *p)
     return Qnil;
   str = (char *) fcstr;
   for (end = str; *end && *end != ' '; end++);
-  if (*end)
-    {
-      char *newstr = alloca (end - str + 1);
-      memcpy (newstr, str, end - str);
-      newstr[end - str] = '\0';
-      end = newstr + (end - str);
-      str = newstr;
-    }
-  if (xstrcasecmp (str, "Regular") == 0
-      || xstrcasecmp (str, "Bold") == 0
-      || xstrcasecmp (str, "Oblique") == 0
-      || xstrcasecmp (str, "Italic") == 0)
+  if (matching_prefix (str, end - str, "Regular")
+      || matching_prefix (str, end - str, "Bold")
+      || matching_prefix (str, end - str, "Oblique")
+      || matching_prefix (str, end - str, "Italic"))
     return Qnil;
   adstyle = font_intern_prop (str, end - str, 1);
   if (font_style_to_value (FONT_WIDTH_INDEX, adstyle, 0) >= 0)
@@ -573,7 +573,8 @@ static int
 ftfont_get_charset (Lisp_Object registry)
 {
   char *str = SSDATA (SYMBOL_NAME (registry));
-  char *re = alloca (SBYTES (SYMBOL_NAME (registry)) * 2 + 1);
+  USE_SAFE_ALLOCA;
+  char *re = SAFE_ALLOCA (SBYTES (SYMBOL_NAME (registry)) * 2 + 1);
   Lisp_Object regexp;
   int i, j;
 
@@ -589,6 +590,7 @@ ftfont_get_charset (Lisp_Object registry)
     }
   re[j] = '\0';
   regexp = make_unibyte_string (re, j);
+  SAFE_FREE ();
   for (i = 0; fc_charset_table[i].name; i++)
     if (fast_c_string_match_ignore_case
         (regexp, fc_charset_table[i].name,
@@ -1688,7 +1690,8 @@ ftfont_check_otf (MFLTFont *font, MFLTOtfSpec *spec)
         else if (! otf)
           return 0;
         for (n = 1; spec->features[i][n]; n++);
-        tags = alloca (sizeof (OTF_Tag) * n);
+        USE_SAFE_ALLOCA;
+        SAFE_NALLOCA (tags, 1, n);
         for (n = 0, negative = 0; spec->features[i][n]; n++)
           {
             if (spec->features[i][n] == 0xFFFFFFFF)
@@ -1698,16 +1701,17 @@ ftfont_check_otf (MFLTFont *font, MFLTOtfSpec *spec)
             else
               tags[n] = spec->features[i][n];
           }
-#ifdef M17N_FLT_USE_NEW_FEATURE
-        if (OTF_check_features (otf, i == 0, spec->script, spec->langsys,
-                                tags, n - negative) != 1)
-          return 0;
-#else  /* not M17N_FLT_USE_NEW_FEATURE */
-        if (n - negative > 0
-            && OTF_check_features (otf, i == 0, spec->script, spec->langsys,
-                                   tags, n - negative) != 1)
+        bool passed = true;
+#ifndef M17N_FLT_USE_NEW_FEATURE
+        passed = n - negative > 0;
+#endif
+        if (passed)
+          passed = (OTF_check_features (otf, i == 0, spec->script,
+                                        spec->langsys, tags, n - negative)
+                    != 1);
+        SAFE_FREE ();
+        if (passed)
           return 0;
-#endif  /* not M17N_FLT_USE_NEW_FEATURE */
       }
   return 1;
 #undef FEATURE_NONE
@@ -1799,11 +1803,15 @@ ftfont_drive_otf (MFLTFont *font,
   if (len == 0)
     return from;
   OTF_tag_name (spec->script, script);
+
+  char langsysbuf[5];
   if (spec->langsys)
     {
-      langsys = alloca (5);
+      langsys = langsysbuf;
       OTF_tag_name (spec->langsys, langsys);
     }
+
+  USE_SAFE_ALLOCA;
   for (i = 0; i < 2; i++)
     {
       char *p;
@@ -1811,10 +1819,11 @@ ftfont_drive_otf (MFLTFont *font,
       if (spec->features[i] && spec->features[i][1] != 0xFFFFFFFF)
         {
           for (j = 0; spec->features[i][j]; j++);
+          SAFE_NALLOCA (p, 6, j);
           if (i == 0)
-            p = gsub_features = alloca (6 * j);
+            gsub_features = p;
           else
-            p = gpos_features = alloca (6 * j);
+            gpos_features = p;
           for (j = 0; spec->features[i][j]; j++)
             {
               if (spec->features[i][j] == 0xFFFFFFFF)
@@ -1846,7 +1855,10 @@ ftfont_drive_otf (MFLTFont *font,
                                    gsub_features) < 0)
         goto simple_copy;
       if (out->allocated < out->used + otf_gstring.used)
-        return -2;
+        {
+          SAFE_FREE ();
+          return -2;
+        }
       features = otf->gsub->FeatureList.Feature;
       for (i = 0, otfg = otf_gstring.glyphs; i < otf_gstring.used; )
         {
@@ -1935,7 +1947,10 @@ ftfont_drive_otf (MFLTFont *font,
   else if (out)
     {
       if (out->allocated < out->used + len)
-        return -2;
+        {
+          SAFE_FREE ();
+          return -2;
+        }
       for (i = 0; i < len; i++)
         out->glyphs[out->used++] = in->glyphs[from + i];
     }
@@ -1947,7 +1962,10 @@ ftfont_drive_otf (MFLTFont *font,
 
       if (OTF_drive_gpos_with_log (otf, &otf_gstring, script, langsys,
                                    gpos_features) < 0)
-        return to;
+        {
+          SAFE_FREE ();
+          return to;
+        }
       features = otf->gpos->FeatureList.Feature;
       x_ppem = ft_face->size->metrics.x_ppem;
       y_ppem = ft_face->size->metrics.y_ppem;
@@ -2069,7 +2087,10 @@ ftfont_drive_otf (MFLTFont *font,
     {
       if (OTF_drive_gpos_with_log (otf, &otf_gstring, script, langsys,
                                    gpos_features) < 0)
-        return to;
+        {
+          SAFE_FREE ();
+          return to;
+        }
       features = otf->gpos->FeatureList.Feature;
       for (i = 0, otfg = otf_gstring.glyphs; i < otf_gstring.used;
            i++, otfg++)
@@ -2089,9 +2110,11 @@ ftfont_drive_otf (MFLTFont *font,
               }
           }
     }
+  SAFE_FREE ();
   return to;
 
  simple_copy:
+  SAFE_FREE ();
   if (! out)
     return to;
   if (out->allocated < out->used + len)
@@ -2129,11 +2152,15 @@ ftfont_drive_otf (MFLTFont *font, MFLTOtfSpec *spec, MFLTGlyphString *in,
   if (len == 0)
     return from;
   OTF_tag_name (spec->script, script);
+
+  char langsysbuf[5];
   if (spec->langsys)
     {
-      langsys = alloca (5);
+      langsys = langsysbuf;
       OTF_tag_name (spec->langsys, langsys);
     }
+
+  USE_SAFE_ALLOCA;
   for (i = 0; i < 2; i++)
     {
       char *p;
@@ -2141,10 +2168,11 @@ ftfont_drive_otf (MFLTFont *font, MFLTOtfSpec *spec, MFLTGlyphString *in,
       if (spec->features[i] && spec->features[i][1] != 0xFFFFFFFF)
         {
           for (j = 0; spec->features[i][j]; j++);
+          SAFE_NALLOCA (p, 6, j);
           if (i == 0)
-            p = gsub_features = alloca (6 * j);
+            gsub_features = p;
           else
-            p = gpos_features = alloca (6 * j);
+            gpos_features = p;
           for (j = 0; spec->features[i][j]; j++)
             {
               if (spec->features[i][j] == 0xFFFFFFFF)
@@ -2176,7 +2204,10 @@ ftfont_drive_otf (MFLTFont *font, MFLTOtfSpec *spec, MFLTGlyphString *in,
           < 0)
         goto simple_copy;
       if (out->allocated < out->used + otf_gstring.used)
-        return -2;
+        {
+          SAFE_FREE ();
+          return -2;
+        }
       for (i = 0, otfg = otf_gstring.glyphs; i < otf_gstring.used; )
         {
           MFLTGlyph *g;
@@ -2227,7 +2258,10 @@ ftfont_drive_otf (MFLTFont *font, MFLTOtfSpec *spec, MFLTGlyphString *in,
   else
     {
       if (out->allocated < out->used + len)
-        return -2;
+        {
+          SAFE_FREE ();
+          return -2;
+        }
       for (i = 0; i < len; i++)
         out->glyphs[out->used++] = in->glyphs[from + i];
     }
@@ -2239,7 +2273,10 @@ ftfont_drive_otf (MFLTFont *font, MFLTOtfSpec *spec, MFLTGlyphString *in,
 
       if (OTF_drive_gpos (otf, &otf_gstring, script, langsys, gpos_features)
           < 0)
-        return to;
+        {
+          SAFE_FREE ();
+          return to;
+        }
 
       x_ppem = ft_face->size->metrics.x_ppem;
       y_ppem = ft_face->size->metrics.y_ppem;
@@ -2349,9 +2386,11 @@ ftfont_drive_otf (MFLTFont *font, MFLTOtfSpec *spec, MFLTGlyphString *in,
             base = g;
         }
     }
+  SAFE_FREE ();
   return to;
 
  simple_copy:
+  SAFE_FREE ();
   if (out->allocated < out->used + len)
     return -2;
   font->get_metrics (font, in, from, to);