* ftfont.c: Check for size overflow.

(ftfont_get_open_type_spec, setup_otf_gstring, ftfont_shape_by_flt): Check for integer overflow in size calculations.
author: Paul Eggert 2011-07-28 16:51:50 -0700
committer: Paul Eggert 2011-07-28 16:51:50 -0700
commit: 1ffd9c92ea38e078ec6cde6277c7ce88895212df (patch)
tree: d01e694989117659f9806a5b3f95ae99cda729b9 /src
parent: 483a9e21b6c8387cdbd5a5f3ab8a3fe77f7e52a0 (diff)
download: emacs-1ffd9c92ea38e078ec6cde6277c7ce88895212df.tar.gz
emacs-1ffd9c92ea38e078ec6cde6277c7ce88895212df.zip
2 files changed, 18 insertions, 1 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 058c250a330..84d7bf4cb48 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,9 @@
 2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
+        * ftfont.c: Check for size overflow.
+        (ftfont_get_open_type_spec, setup_otf_gstring, ftfont_shape_by_flt):
+        Check for integer overflow in size calculations.
        * fringe.c (Fdefine_fringe_bitmap): Don't update size until alloc works.
        * frame.h (struct frame): Use int, not EMACS_INT, where int works.
diff --git a/src/ftfont.c b/src/ftfont.c
index 4e313a89021..551006eef94 100644
--- a/src/ftfont.c
+++ b/src/ftfont.c
@@ -682,7 +682,10 @@ ftfont_get_open_type_spec (Lisp_Object otf_spec)
      if (NILP (val))
        continue;
      len = Flength (val);
-      spec->features[i] = malloc (sizeof (int) * XINT (len));
+      spec->features[i] =
+        (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (int) < XINT (len)
+         ? 0
+         : malloc (sizeof (int) * XINT (len)));
      if (! spec->features[i])
        {
          if (i > 0 && spec->features[0])
@@ -1761,6 +1764,9 @@ static OTF_GlyphString otf_gstring;
 static void
 setup_otf_gstring (int size)
 {
+  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (OTF_Glyph) < size)
+    memory_full (SIZE_MAX);
  if (otf_gstring.size == 0)
    {
      otf_gstring.glyphs = (OTF_Glyph *) xmalloc (sizeof (OTF_Glyph) * size);
@@ -2390,6 +2396,8 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
  struct MFLTFontFT flt_font_ft;
  MFLT *flt = NULL;
  int with_variation_selector = 0;
+  int allocated_max = min (INT_MAX,
+                           min (PTRDIFF_MAX, SIZE_MAX) / sizeof (MFLTGlyph));
  if (! m17n_flt_initialized)
    {
@@ -2445,6 +2453,9 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
        }
    }
+  if (allocated_max / 2 < len)
+    memory_full (SIZE_MAX);
  if (gstring.allocated == 0)
    {
      gstring.allocated = len * 2;
@@ -2504,6 +2515,8 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
      int result = mflt_run (&gstring, 0, len, &flt_font_ft.flt_font, flt);
      if (result != -2)
        break;
+      if (allocated_max / 2 < gstring.allocated)
+        memory_full (SIZE_MAX);
      gstring.allocated += gstring.allocated;
      gstring.glyphs = xrealloc (gstring.glyphs,
                                 sizeof (MFLTGlyph) * gstring.allocated);
author	Paul Eggert	2011-07-28 16:51:50 -0700
committer	Paul Eggert	2011-07-28 16:51:50 -0700
commit	1ffd9c92ea38e078ec6cde6277c7ce88895212df (patch)
tree	d01e694989117659f9806a5b3f95ae99cda729b9 /src
parent	483a9e21b6c8387cdbd5a5f3ab8a3fe77f7e52a0 (diff)
download	emacs-1ffd9c92ea38e078ec6cde6277c7ce88895212df.tar.gz emacs-1ffd9c92ea38e078ec6cde6277c7ce88895212df.zip