diff options
| author | Paul Eggert | 2011-04-02 01:00:56 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-04-02 01:00:56 -0700 |
| commit | 2a47c44da27ce75e5ecae75a8006127439b25392 (patch) | |
| tree | 4314a38d5ff5fa3f09143c4340f6baec78204b13 /src | |
| parent | a37c69bff68c15220b7f737a721ff7e1d3291b9e (diff) | |
| download | emacs-2a47c44da27ce75e5ecae75a8006127439b25392.tar.gz emacs-2a47c44da27ce75e5ecae75a8006127439b25392.zip | |
* fileio.c (Finsert_file_contents): Avoid signed integer overflow.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ChangeLog | 2 | ||||
| -rw-r--r-- | src/fileio.c | 25 |
2 files changed, 12 insertions, 15 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index 73be884837f..ff9b70cec2b 100644 --- a/src/ChangeLog +++ b/src/ChangeLog | |||
| @@ -1,5 +1,7 @@ | |||
| 1 | 2011-04-02 Paul Eggert <eggert@cs.ucla.edu> | 1 | 2011-04-02 Paul Eggert <eggert@cs.ucla.edu> |
| 2 | 2 | ||
| 3 | * fileio.c (Finsert_file_contents): Avoid signed integer overflow. | ||
| 4 | |||
| 3 | * minibuf.c (read_minibuf_noninteractive): Use size_t for sizes. | 5 | * minibuf.c (read_minibuf_noninteractive): Use size_t for sizes. |
| 4 | Check for integer overflow on size calculations. | 6 | Check for integer overflow on size calculations. |
| 5 | 7 | ||
diff --git a/src/fileio.c b/src/fileio.c index 552044f7272..676eb7f53ac 100644 --- a/src/fileio.c +++ b/src/fileio.c | |||
| @@ -3239,9 +3239,16 @@ variable `last-coding-system-used' to the coding system actually used. */) | |||
| 3239 | 3239 | ||
| 3240 | record_unwind_protect (close_file_unwind, make_number (fd)); | 3240 | record_unwind_protect (close_file_unwind, make_number (fd)); |
| 3241 | 3241 | ||
| 3242 | /* Can happen on any platform that uses long as type of off_t, but allows | 3242 | |
| 3243 | file sizes to exceed 2Gb, so give a suitable message. */ | 3243 | /* Arithmetic overflow can occur if an Emacs integer cannot represent the |
| 3244 | if (! not_regular && st.st_size < 0) | 3244 | file size, or if the calculations below overflow. The calculations below |
| 3245 | double the file size twice, so check that it can be multiplied by 4 | ||
| 3246 | safely. | ||
| 3247 | |||
| 3248 | Also check whether the size is negative, which can happen on a platform | ||
| 3249 | that allows file sizes greater than the maximum off_t value. */ | ||
| 3250 | if (! not_regular | ||
| 3251 | && ! (0 <= st.st_size && st.st_size <= MOST_POSITIVE_FIXNUM / 4)) | ||
| 3245 | error ("Maximum buffer size exceeded"); | 3252 | error ("Maximum buffer size exceeded"); |
| 3246 | 3253 | ||
| 3247 | /* Prevent redisplay optimizations. */ | 3254 | /* Prevent redisplay optimizations. */ |
| @@ -3268,18 +3275,6 @@ variable `last-coding-system-used' to the coding system actually used. */) | |||
| 3268 | { | 3275 | { |
| 3269 | XSETINT (end, st.st_size); | 3276 | XSETINT (end, st.st_size); |
| 3270 | 3277 | ||
| 3271 | /* Arithmetic overflow can occur if an Emacs integer cannot | ||
| 3272 | represent the file size, or if the calculations below | ||
| 3273 | overflow. The calculations below double the file size | ||
| 3274 | twice, so check that it can be multiplied by 4 safely. */ | ||
| 3275 | if (XINT (end) != st.st_size | ||
| 3276 | /* Actually, it should test either INT_MAX or LONG_MAX | ||
| 3277 | depending on which one is used for EMACS_INT. But in | ||
| 3278 | any case, in practice, this test is redundant with the | ||
| 3279 | one above. | ||
| 3280 | || st.st_size > INT_MAX / 4 */) | ||
| 3281 | error ("Maximum buffer size exceeded"); | ||
| 3282 | |||
| 3283 | /* The file size returned from stat may be zero, but data | 3278 | /* The file size returned from stat may be zero, but data |
| 3284 | may be readable nonetheless, for example when this is a | 3279 | may be readable nonetheless, for example when this is a |
| 3285 | file in the /proc filesystem. */ | 3280 | file in the /proc filesystem. */ |