aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPaul Eggert2011-07-28 22:12:49 -0700
committerPaul Eggert2011-07-28 22:12:49 -0700
commit3256efcee3a7c3bf63e62666715455e834d19ea0 (patch)
tree1b71292793d856130d2e51f798aa7eabba41b484 /src
parent1d526e2f33eb2615944717c9231bc1d27aef1117 (diff)
downloademacs-3256efcee3a7c3bf63e62666715455e834d19ea0.tar.gz
emacs-3256efcee3a7c3bf63e62666715455e834d19ea0.zip
* xterm.c: Integer and memory overflow issues.
(x_color_cells, handle_one_xevent, x_term_init): Check for size calculation overflow. (x_color_cells): Don't store size until memory allocation succeeds. (handle_one_xevent): Use ptrdiff_t, not int, for byte counts. (x_term_init): Don't assume length fits in int (sprintf is limited to int size).
Diffstat (limited to 'src')
-rw-r--r--src/ChangeLog8
-rw-r--r--src/xterm.c30
2 files changed, 28 insertions, 10 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 1f288a48f2f..b005b461ed4 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,13 @@
12011-07-29 Paul Eggert <eggert@cs.ucla.edu> 12011-07-29 Paul Eggert <eggert@cs.ucla.edu>
2 2
3 * xterm.c: Integer and memory overflow issues.
4 (x_color_cells, handle_one_xevent, x_term_init):
5 Check for size calculation overflow.
6 (x_color_cells): Don't store size until memory allocation succeeds.
7 (handle_one_xevent): Use ptrdiff_t, not int, for byte counts.
8 (x_term_init): Don't assume length fits in int (sprintf is limited
9 to int size).
10
3 * xsmfns.c (smc_save_yourself_CB): Check for size calc overflow. 11 * xsmfns.c (smc_save_yourself_CB): Check for size calc overflow.
4 12
5 * xselect.c: Integer and memory overflow issues. 13 * xselect.c: Integer and memory overflow issues.
diff --git a/src/xterm.c b/src/xterm.c
index 5b6ddbb8ddf..4ef0061dba6 100644
--- a/src/xterm.c
+++ b/src/xterm.c
@@ -1625,19 +1625,21 @@ x_color_cells (Display *dpy, int *ncells)
1625 if (dpyinfo->color_cells == NULL) 1625 if (dpyinfo->color_cells == NULL)
1626 { 1626 {
1627 Screen *screen = dpyinfo->screen; 1627 Screen *screen = dpyinfo->screen;
1628 int ncolor_cells = XDisplayCells (dpy, XScreenNumberOfScreen (screen));
1628 int i; 1629 int i;
1629 1630
1630 dpyinfo->ncolor_cells 1631 if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (XColor) < ncolor_cells)
1631 = XDisplayCells (dpy, XScreenNumberOfScreen (screen)); 1632 memory_full (SIZE_MAX);
1632 dpyinfo->color_cells 1633 dpyinfo->color_cells
1633 = (XColor *) xmalloc (dpyinfo->ncolor_cells 1634 = (XColor *) xmalloc (ncolor_cells
1634 * sizeof *dpyinfo->color_cells); 1635 * sizeof *dpyinfo->color_cells);
1636 dpyinfo->ncolor_cells = ncolor_cells;
1635 1637
1636 for (i = 0; i < dpyinfo->ncolor_cells; ++i) 1638 for (i = 0; i < ncolor_cells; ++i)
1637 dpyinfo->color_cells[i].pixel = i; 1639 dpyinfo->color_cells[i].pixel = i;
1638 1640
1639 XQueryColors (dpy, dpyinfo->cmap, 1641 XQueryColors (dpy, dpyinfo->cmap,
1640 dpyinfo->color_cells, dpyinfo->ncolor_cells); 1642 dpyinfo->color_cells, ncolor_cells);
1641 } 1643 }
1642 1644
1643 *ncells = dpyinfo->ncolor_cells; 1645 *ncells = dpyinfo->ncolor_cells;
@@ -5817,7 +5819,7 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr,
5817 } inev; 5819 } inev;
5818 int count = 0; 5820 int count = 0;
5819 int do_help = 0; 5821 int do_help = 0;
5820 int nbytes = 0; 5822 ptrdiff_t nbytes = 0;
5821 struct frame *f = NULL; 5823 struct frame *f = NULL;
5822 struct coding_system coding; 5824 struct coding_system coding;
5823 XEvent event = *eventptr; 5825 XEvent event = *eventptr;
@@ -6515,7 +6517,7 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr,
6515 } 6517 }
6516 6518
6517 { /* Raw bytes, not keysym. */ 6519 { /* Raw bytes, not keysym. */
6518 register int i; 6520 ptrdiff_t i;
6519 int nchars, len; 6521 int nchars, len;
6520 6522
6521 for (i = 0, nchars = 0; i < nbytes; i++) 6523 for (i = 0, nchars = 0; i < nbytes; i++)
@@ -6528,7 +6530,11 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr,
6528 if (nchars < nbytes) 6530 if (nchars < nbytes)
6529 { 6531 {
6530 /* Decode the input data. */ 6532 /* Decode the input data. */
6531 int require; 6533 ptrdiff_t require;
6534
6535 if (min (PTRDIFF_MAX, SIZE_MAX) / MAX_MULTIBYTE_LENGTH
6536 < nbytes)
6537 memory_full (SIZE_MAX);
6532 6538
6533 /* The input should be decoded with `coding_system' 6539 /* The input should be decoded with `coding_system'
6534 which depends on which X*LookupString function 6540 which depends on which X*LookupString function
@@ -9826,6 +9832,7 @@ x_term_init (Lisp_Object display_name, char *xrm_option, char *resource_name)
9826 struct x_display_info *dpyinfo; 9832 struct x_display_info *dpyinfo;
9827 XrmDatabase xrdb; 9833 XrmDatabase xrdb;
9828 Mouse_HLInfo *hlinfo; 9834 Mouse_HLInfo *hlinfo;
9835 ptrdiff_t lim;
9829 9836
9830 BLOCK_INPUT; 9837 BLOCK_INPUT;
9831 9838
@@ -10044,12 +10051,15 @@ x_term_init (Lisp_Object display_name, char *xrm_option, char *resource_name)
10044 XSetAfterFunction (x_current_display, x_trace_wire); 10051 XSetAfterFunction (x_current_display, x_trace_wire);
10045#endif /* ! 0 */ 10052#endif /* ! 0 */
10046 10053
10054 lim = min (PTRDIFF_MAX, SIZE_MAX) - sizeof "@";
10055 if (lim - SBYTES (Vinvocation_name) < SBYTES (Vsystem_name))
10056 memory_full (SIZE_MAX);
10047 dpyinfo->x_id_name 10057 dpyinfo->x_id_name
10048 = (char *) xmalloc (SBYTES (Vinvocation_name) 10058 = (char *) xmalloc (SBYTES (Vinvocation_name)
10049 + SBYTES (Vsystem_name) 10059 + SBYTES (Vsystem_name)
10050 + 2); 10060 + 2);
10051 sprintf (dpyinfo->x_id_name, "%s@%s", 10061 strcat (strcat (strcpy (dpyinfo->x_id_name, SSDATA (Vinvocation_name)), "@"),
10052 SSDATA (Vinvocation_name), SSDATA (Vsystem_name)); 10062 SSDATA (Vsystem_name));
10053 10063
10054 /* Figure out which modifier bits mean what. */ 10064 /* Figure out which modifier bits mean what. */
10055 x_find_modifier_meanings (dpyinfo); 10065 x_find_modifier_meanings (dpyinfo);
generated by cgit v1.2.1 (git 2.18.0) at 2026-01-20 12:29:39 +0000