Use SAFE_ALLOCA etc. to avoid unbounded stack allocation.

This follows up on the recent thread in emacs-devel on alloca; see: http://lists.gnu.org/archive/html/emacs-devel/2014-09/msg00042.html This patch also cleans up alloca-related glitches noted while examining the code looking for unbounded alloca. * alloc.c (listn): * callproc.c (init_callproc): Rewrite to avoid need for alloca. * buffer.c (mouse_face_overlay_overlaps) (report_overlay_modification): * buffer.h (GET_OVERLAYS_AT): * coding.c (make_subsidiaries): * doc.c (Fsnarf_documentation): * editfns.c (Fuser_full_name): * fileio.c (Ffile_name_directory, Fexpand_file_name) (search_embedded_absfilename, Fsubstitute_in_file_name): * fns.c (Fmake_hash_table): * font.c (font_vconcat_entity_vectors, font_update_drivers): * fontset.c (fontset_pattern_regexp, Ffontset_info): * frame.c (Fmake_terminal_frame, x_set_frame_parameters) (xrdb_get_resource, x_get_resource_string): * ftfont.c (ftfont_get_charset, ftfont_check_otf, ftfont_drive_otf): * ftxfont.c (ftxfont_draw): * image.c (xbm_load, xpm_load, jpeg_load_body): * keyboard.c (echo_add_key, menu_bar_items, tool_bar_items): * keymap.c (Fdescribe_buffer_bindings, describe_map): * lread.c (openp): * menu.c (digest_single_submenu, find_and_call_menu_selection) (find_and_return_menu_selection): * print.c (PRINTFINISH): * process.c (Fformat_network_address): * scroll.c (do_scrolling, do_direct_scrolling, scrolling_1): * search.c (search_buffer, Fmatch_data, Fregexp_quote): * sound.c (wav_play, au_play): * syntax.c (skip_chars): * term.c (tty_menu_activate, tty_menu_show): * textprop.c (get_char_property_and_overlay): * window.c (Fset_window_configuration): * xdisp.c (safe__call, next_overlay_change, vmessage) (compute_overhangs_and_x, draw_glyphs, note_mouse_highlight): * xfaces.c (face_at_buffer_position): * xmenu.c (x_menu_show): Use SAFE_ALLOCA etc. instead of plain alloca, since the allocation size isn't bounded. * callint.c (Fcall_interactively): Redo memory_full check so that it can be done at compile-time on some platforms. * coding.c (MAX_LOOKUP_MAX): New constant. (get_translation_table): Use it. * callproc.c (call_process): Use SAFE_NALLOCA instead of SAFE_ALLOCA, to catch integer overflows on size calculation. (exec_failed) [!DOS_NT]: New function. (child_setup) [!DOS_NT]: Use it. * editfns.c (Ftranspose_regions): Hoist USE_SAFE_ALLOC + SAFE_FREE out of 'if'. * editfns.c (check_translation): Allocate larger buffers on the heap. * eval.c (internal_lisp_condition_case): Check for MAX_ALLOCA overflow. * fns.c (sort_vector): Use SAFE_ALLOCA_LISP rather than Fmake_vector. (Fbase64_encode_region, Fbase64_decode_region): Avoid unnecessary calls to SAFE_FREE before 'error'. * buffer.c (mouse_face_overlay_overlaps): * editfns.c (Fget_pos_property, check_translation): * eval.c (Ffuncall): * font.c (font_unparse_xlfd, font_find_for_lface): * ftfont.c (ftfont_drive_otf): * keyboard.c (echo_add_key, read_decoded_event_from_main_queue) (menu_bar_items, tool_bar_items): * sound.c (Fplay_sound_internal): * xdisp.c (load_overlay_strings, dump_glyph_row): Use an ordinary auto buffer rather than alloca, since the allocation size is fixed and small. * ftfont.c: Include <c-strcase.h>. (matching_prefix): New function. (get_adstyle_property): Use it, to avoid need for alloca. * keyboard.c (echo_add_key): * keymap.c (describe_map): Use ptrdiff_t, not int. * keyboard.c (echo_add_key): Prefer sizeof to strlen. * keymap.c (Fdescribe_buffer_bindings): Use SBYTES, not SCHARS, when counting bytes. * lisp.h (xlispstrdupa): Remove, replacing with ... (SAFE_ALLOCA_STRING): ... new macro with different API. This fixes a portability problem, namely, alloca result passed to another function. All uses changed. (SAFE_ALLOCA, SAFE_ALLOCA_LISP): Check for MAX_ALLOCA, not MAX_ALLOCA - 1. * regex.c (REGEX_USE_SAFE_ALLOCA, REGEX_SAFE_FREE) (REGEX_ALLOCATE): New macros. (REGEX_REALLOCATE, REGEX_ALLOCATE_STACK, REGEX_REALLOCATE_STACK) (REGEX_FREE_STACK, FREE_VARIABLES, re_match_2_internal): Use them. * xdisp.c (message3): Use SAFE_ALLOCA_STRING rather than doing it by hand. (decode_mode_spec_coding): Store directly into buf rather than into an alloca temporary and copying the temporary to the buf. Fixes: debbugs:18410
author: Paul Eggert 2014-09-07 00:04:01 -0700
committer: Paul Eggert 2014-09-07 00:04:01 -0700
commit: b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d (patch)
tree: cf138164e4f8887394f52cb22da594d1713da316 /src/image.c
parent: 930fb80f9e2815e599eb1de699668d42e305fa21 (diff)
download: emacs-b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d.tar.gz
emacs-b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d.zip
1 files changed, 20 insertions, 15 deletions
diff --git a/src/image.c b/src/image.c
index 804da436ee9..57f9b7735b6 100644
--- a/src/image.c
+++ b/src/image.c
@@ -3037,13 +3037,16 @@ xbm_load (struct frame *f, struct image *img)
                                     + SBYTES (data)));
      else
        {
+          USE_SAFE_ALLOCA;
          if (VECTORP (data))
            {
              int i;
              char *p;
              int nbytes = (img->width + BITS_PER_CHAR - 1) / BITS_PER_CHAR;
-              p = bits = alloca (nbytes * img->height);
+              SAFE_NALLOCA (bits, nbytes, img->height);
+              p = bits;
              for (i = 0; i < img->height; ++i, p += nbytes)
                {
                  Lisp_Object line = AREF (data, i);
@@ -3064,9 +3067,8 @@ xbm_load (struct frame *f, struct image *img)
            int nbytes, i;
            /* Windows mono bitmaps are reversed compared with X.  */
            invertedBits = bits;
-            nbytes = (img->width + BITS_PER_CHAR - 1) / BITS_PER_CHAR
+            nbytes = (img->width + BITS_PER_CHAR - 1) / BITS_PER_CHAR;
-              * img->height;
+            SAFE_NALLOCA (bits, nbytes, img->height);
-            bits = alloca (nbytes);
            for (i = 0; i < nbytes; i++)
              bits[i] = XBM_BIT_SHUFFLE (invertedBits[i]);
          }
@@ -3088,6 +3090,8 @@ xbm_load (struct frame *f, struct image *img)
                           img->spec, Qnil);
              x_clear_image (f, img);
            }
+          SAFE_FREE ();
        }
    }
@@ -3494,6 +3498,8 @@ xpm_load (struct frame *f, struct image *img)
  int rc;
  XpmAttributes attrs;
  Lisp_Object specified_file, color_symbols;
+  USE_SAFE_ALLOCA;
 #ifdef HAVE_NTGUI
  HDC hdc;
  xpm_XImage * xpm_image = NULL, * xpm_mask = NULL;
@@ -3536,7 +3542,7 @@ xpm_load (struct frame *f, struct image *img)
    {
      Lisp_Object tail;
      XpmColorSymbol *xpm_syms;
-      int i, size;
+      ptrdiff_t i, size;
      attrs.valuemask |= XpmColorSymbols;
@@ -3546,8 +3552,8 @@ xpm_load (struct frame *f, struct image *img)
        ++attrs.numsymbols;
      /* Allocate an XpmColorSymbol array.  */
+      SAFE_NALLOCA (xpm_syms, 1, attrs.numsymbols);
      size = attrs.numsymbols * sizeof *xpm_syms;
-      xpm_syms = alloca (size);
      memset (xpm_syms, 0, size);
      attrs.colorsymbols = xpm_syms;
@@ -3569,17 +3575,11 @@ xpm_load (struct frame *f, struct image *img)
          name = XCAR (XCAR (tail));
          color = XCDR (XCAR (tail));
          if (STRINGP (name))
-            {
+            SAFE_ALLOCA_STRING (xpm_syms[i].name, name);
-              xpm_syms[i].name = alloca (SCHARS (name) + 1);
-              strcpy (xpm_syms[i].name, SSDATA (name));
-            }
          else
            xpm_syms[i].name = empty_string;
          if (STRINGP (color))
-            {
+            SAFE_ALLOCA_STRING (xpm_syms[i].value, color);
-              xpm_syms[i].value = alloca (SCHARS (color) + 1);
-              strcpy (xpm_syms[i].value, SSDATA (color));
-            }
          else
            xpm_syms[i].value = empty_string;
        }
@@ -3610,6 +3610,7 @@ xpm_load (struct frame *f, struct image *img)
 #ifdef ALLOC_XPM_COLORS
          xpm_free_color_cache ();
 #endif
+          SAFE_FREE ();
          return 0;
        }
@@ -3640,6 +3641,7 @@ xpm_load (struct frame *f, struct image *img)
 #ifdef ALLOC_XPM_COLORS
          xpm_free_color_cache ();
 #endif
+          SAFE_FREE ();
          return 0;
        }
 #ifdef HAVE_NTGUI
@@ -3782,6 +3784,7 @@ xpm_load (struct frame *f, struct image *img)
 #ifdef ALLOC_XPM_COLORS
  xpm_free_color_cache ();
 #endif
+  SAFE_FREE ();
  return rc == XpmSuccess;
 }
@@ -6580,6 +6583,7 @@ jpeg_load_body (struct frame *f, struct image *img,
     colors generated, and mgr->cinfo.colormap is a two-dimensional array
     of color indices in the range 0..mgr->cinfo.actual_number_of_colors.
     No more than 255 colors will be generated.  */
+  USE_SAFE_ALLOCA;
  {
    int i, ir, ig, ib;
@@ -6595,7 +6599,7 @@ jpeg_load_body (struct frame *f, struct image *img,
       a default color, and we don't have to care about which colors
       can be freed safely, and which can't.  */
    init_color_table ();
-    colors = alloca (mgr->cinfo.actual_number_of_colors * sizeof *colors);
+    SAFE_NALLOCA (colors, 1, mgr->cinfo.actual_number_of_colors);
    for (i = 0; i < mgr->cinfo.actual_number_of_colors; ++i)
      {
@@ -6638,6 +6642,7 @@ jpeg_load_body (struct frame *f, struct image *img,
  /* Put ximg into the image.  */
  image_put_x_image (f, img, ximg, 0);
+  SAFE_FREE ();
  return 1;
 }
author	Paul Eggert	2014-09-07 00:04:01 -0700
committer	Paul Eggert	2014-09-07 00:04:01 -0700
commit	b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d (patch)
tree	cf138164e4f8887394f52cb22da594d1713da316 /src/image.c
parent	930fb80f9e2815e599eb1de699668d42e305fa21 (diff)
download	emacs-b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d.tar.gz emacs-b3bf18b3b87ac8f00857b8bfc3f2c74cf0e2fb7d.zip