* insdel.c (count_size_as_multibyte): Check for string overflow.

2 files changed, 12 insertions, 2 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index 944a5dfbecb..b7bf4599d63 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,7 @@
 2011-05-16  Paul Eggert  <eggert@cs.ucla.edu>
 
+        * insdel.c (count_size_as_multibyte): Check for string overflow.
+
         * character.c (lisp_string_width): Check for string overflow.
         Use EMACS_INT, not int, for string indexes and lengths; in
         particular, 2nd arg is now EMACS_INT, not int.  Do not crash if
diff --git a/src/insdel.c b/src/insdel.c
index 2662858c2a1..de9e8aa570a 100644
--- a/src/insdel.c
+++ b/src/insdel.c
@@ -20,6 +20,9 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
 
 #include <config.h>
 #include <setjmp.h>
+
+#include <intprops.h>
+
 #include "lisp.h"
 #include "intervals.h"
 #include "buffer.h"
@@ -581,14 +584,19 @@ count_size_as_multibyte (const unsigned char *ptr, EMACS_INT nbytes)
   for (i = 0; i < nbytes; i++)
     {
       unsigned int c = *ptr++;
+      int n;
 
       if (ASCII_CHAR_P (c))
-        outgoing_nbytes++;
+        n = 1;
       else
         {
           c = BYTE8_TO_CHAR (c);
-          outgoing_nbytes += CHAR_BYTES (c);
+          n = CHAR_BYTES (c);
         }
+
+      if (INT_ADD_OVERFLOW (outgoing_nbytes, n))
+        string_overflow ();
+      outgoing_nbytes += n;
     }
 
   return outgoing_nbytes;