* macros.c: Integer and buffer overflow fixes.

* keyboard.h (struct keyboard.kbd_macro_bufsize): * macros.c (Fstart_kbd_macro, store_kbd_macro_char): Use ptrdiff_t, not int, for sizes. Don't increment bufsize until after realloc succeeds. Check for size-calculation overflow. (Fstart_kbd_macro): Use EMACS_INT, not int, for XINT result.
author: Paul Eggert 2011-06-22 23:31:41 -0700
committer: Paul Eggert 2011-06-22 23:31:41 -0700
commit: 6d84508d181fec22ef538b5a6ba7e2072d1de8e7 (patch)
tree: ef8d0592e00b9122e5a0762e6c0a42191fab5e73 /src/macros.c
parent: 20270765bee11c46dc5a16ccca169751ce4e89ea (diff)
download: emacs-6d84508d181fec22ef538b5a6ba7e2072d1de8e7.tar.gz
emacs-6d84508d181fec22ef538b5a6ba7e2072d1de8e7.zip
1 files changed, 13 insertions, 6 deletions
diff --git a/src/macros.c b/src/macros.c
index 3523e513d6a..ea33dbf2d2c 100644
--- a/src/macros.c
+++ b/src/macros.c
@@ -71,10 +71,10 @@ macro before appending to it. */)
    {
      if (current_kboard->kbd_macro_bufsize > 200)
        {
-          current_kboard->kbd_macro_bufsize = 30;
          current_kboard->kbd_macro_buffer
            = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer,
                                       30 * sizeof (Lisp_Object));
+          current_kboard->kbd_macro_bufsize = 30;
        }
      current_kboard->kbd_macro_ptr = current_kboard->kbd_macro_buffer;
      current_kboard->kbd_macro_end = current_kboard->kbd_macro_buffer;
@@ -82,7 +82,8 @@ macro before appending to it. */)
    }
  else
    {
-      int i, len;
+      ptrdiff_t i;
+      EMACS_INT len;
      int cvt;
      /* Check the type of last-kbd-macro in case Lisp code changed it.  */
@@ -94,10 +95,13 @@ macro before appending to it. */)
         has put another macro there.  */
      if (current_kboard->kbd_macro_bufsize < len + 30)
        {
-          current_kboard->kbd_macro_bufsize = len + 30;
+          if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (Lisp_Object) - 30
+              < current_kboard->kbd_macro_bufsize)
+            memory_full (SIZE_MAX);
          current_kboard->kbd_macro_buffer
            = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer,
                                       (len + 30) * sizeof (Lisp_Object));
+          current_kboard->kbd_macro_bufsize = len + 30;
        }
      /* Must convert meta modifier when copying string to vector.  */
@@ -191,14 +195,17 @@ store_kbd_macro_char (Lisp_Object c)
    {
      if (kb->kbd_macro_ptr - kb->kbd_macro_buffer == kb->kbd_macro_bufsize)
        {
-          int ptr_offset, end_offset, nbytes;
+          ptrdiff_t ptr_offset, end_offset, nbytes;
          ptr_offset = kb->kbd_macro_ptr - kb->kbd_macro_buffer;
          end_offset = kb->kbd_macro_end - kb->kbd_macro_buffer;
-          kb->kbd_macro_bufsize *= 2;
+          if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *kb->kbd_macro_buffer / 2
-          nbytes = kb->kbd_macro_bufsize * sizeof *kb->kbd_macro_buffer;
+              < kb->kbd_macro_bufsize)
+            memory_full (SIZE_MAX);
+          nbytes = kb->kbd_macro_bufsize * 2 * sizeof *kb->kbd_macro_buffer;
          kb->kbd_macro_buffer
            = (Lisp_Object *) xrealloc (kb->kbd_macro_buffer, nbytes);
+          kb->kbd_macro_bufsize *= 2;
          kb->kbd_macro_ptr = kb->kbd_macro_buffer + ptr_offset;
          kb->kbd_macro_end = kb->kbd_macro_buffer + end_offset;
        }
author	Paul Eggert	2011-06-22 23:31:41 -0700
committer	Paul Eggert	2011-06-22 23:31:41 -0700
commit	6d84508d181fec22ef538b5a6ba7e2072d1de8e7 (patch)
tree	ef8d0592e00b9122e5a0762e6c0a42191fab5e73 /src/macros.c
parent	20270765bee11c46dc5a16ccca169751ce4e89ea (diff)
download	emacs-6d84508d181fec22ef538b5a6ba7e2072d1de8e7.tar.gz emacs-6d84508d181fec22ef538b5a6ba7e2072d1de8e7.zip