* xterm.c: don't go over XClientMessageEvent limit

(scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed. (x_send_scroll_bar_event): Likewise. Check that the size does not exceed limits imposed by XClientMessageEvent, as well as the usual ptrdiff_t and size_t limits.
author: Paul Eggert 2011-07-17 13:56:13 -0700
committer: Paul Eggert 2011-07-17 13:56:13 -0700
commit: 50849c52f8cf342b81c1db12b13f866ec6c049fc (patch)
tree: 09bc44425b2a904a3c7a7a7b3216e523d7766ff5 /src
parent: b13995dbbdab5254bc77ad5ed7318db9797be321 (diff)
download: emacs-50849c52f8cf342b81c1db12b13f866ec6c049fc.tar.gz
emacs-50849c52f8cf342b81c1db12b13f866ec6c049fc.zip
2 files changed, 17 insertions, 7 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 32a117ed767..940beee887d 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,11 @@
 2011-07-17  Paul Eggert  <eggert@cs.ucla.edu>
+        * xterm.c: don't go over XClientMessageEvent limit
+        (scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed.
+        (x_send_scroll_bar_event): Likewise.  Check that the size does not
+        exceed limits imposed by XClientMessageEvent, as well as the usual
+        ptrdiff_t and size_t limits.
        * keyboard.c: Overflow, signedness and related fixes.
        (make_lispy_movement): Use same integer type in forward decl
        that is used in the definition.
diff --git a/src/xterm.c b/src/xterm.c
index 20516ee9d6f..5b6ddbb8ddf 100644
--- a/src/xterm.c
+++ b/src/xterm.c
@@ -4190,7 +4190,7 @@ xt_action_hook (Widget widget, XtPointer client_data, String action_name,
   x_send_scroll_bar_event and x_scroll_bar_to_input_event.  */
 static struct window **scroll_bar_windows;
-static size_t scroll_bar_windows_size;
+static ptrdiff_t scroll_bar_windows_size;
 /* Send a client message with message type Xatom_Scrollbar for a
@@ -4205,7 +4205,7 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole)
  XClientMessageEvent *ev = (XClientMessageEvent *) &event;
  struct window *w = XWINDOW (window);
  struct frame *f = XFRAME (w->frame);
-  size_t i;
+  ptrdiff_t i;
  BLOCK_INPUT;
@@ -4226,12 +4226,16 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole)
  if (i == scroll_bar_windows_size)
    {
-      size_t new_size = max (10, 2 * scroll_bar_windows_size);
+      ptrdiff_t new_size, old_nbytes, nbytes;
-      size_t nbytes = new_size * sizeof *scroll_bar_windows;
+      /* Check the 32-bit XClientMessageEvent limit, as well as the
-      size_t old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows;
+         usual ptrdiff_t/size_t limit.  */
+      if (min (0x7fffffff,
-      if ((size_t) -1 / sizeof *scroll_bar_windows < new_size)
+               min (PTRDIFF_MAX, SIZE_MAX) / sizeof *scroll_bar_windows / 2)
+          < scroll_bar_windows_size)
        memory_full (SIZE_MAX);
+      new_size = max (10, 2 * scroll_bar_windows_size);
+      nbytes = new_size * sizeof *scroll_bar_windows;
+      old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows;
      scroll_bar_windows = (struct window **) xrealloc (scroll_bar_windows,
                                                        nbytes);
      memset (&scroll_bar_windows[i], 0, nbytes - old_nbytes);
author	Paul Eggert	2011-07-17 13:56:13 -0700
committer	Paul Eggert	2011-07-17 13:56:13 -0700
commit	50849c52f8cf342b81c1db12b13f866ec6c049fc (patch)
tree	09bc44425b2a904a3c7a7a7b3216e523d7766ff5 /src
parent	b13995dbbdab5254bc77ad5ed7318db9797be321 (diff)
download	emacs-50849c52f8cf342b81c1db12b13f866ec6c049fc.tar.gz emacs-50849c52f8cf342b81c1db12b13f866ec6c049fc.zip

diff --git a/src/ChangeLog b/src/ChangeLog index 32a117ed767..940beee887d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,5 +1,11 @@
1	2011-07-17 Paul Eggert <eggert@cs.ucla.edu>	1	2011-07-17 Paul Eggert <eggert@cs.ucla.edu>
2		2
		3	* xterm.c: don't go over XClientMessageEvent limit
		4	(scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed.
		5	(x_send_scroll_bar_event): Likewise. Check that the size does not
		6	exceed limits imposed by XClientMessageEvent, as well as the usual
		7	ptrdiff_t and size_t limits.
		8
3	* keyboard.c: Overflow, signedness and related fixes.	9	* keyboard.c: Overflow, signedness and related fixes.
4	(make_lispy_movement): Use same integer type in forward decl	10	(make_lispy_movement): Use same integer type in forward decl
5	that is used in the definition.	11	that is used in the definition.


diff --git a/src/xterm.c b/src/xterm.c index 20516ee9d6f..5b6ddbb8ddf 100644 --- a/src/xterm.c +++ b/src/xterm.c
@@ -4190,7 +4190,7 @@ xt_action_hook (Widget widget, XtPointer client_data, String action_name,
4190	x_send_scroll_bar_event and x_scroll_bar_to_input_event. */	4190	x_send_scroll_bar_event and x_scroll_bar_to_input_event. */
4191		4191
4192	static struct window **scroll_bar_windows;	4192	static struct window **scroll_bar_windows;
4193	static size_t scroll_bar_windows_size;	4193	static ptrdiff_t scroll_bar_windows_size;
4194		4194
4195		4195
4196	/* Send a client message with message type Xatom_Scrollbar for a	4196	/* Send a client message with message type Xatom_Scrollbar for a
@@ -4205,7 +4205,7 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole)
4205	XClientMessageEvent ev = (XClientMessageEvent ) &event;	4205	XClientMessageEvent ev = (XClientMessageEvent ) &event;
4206	struct window *w = XWINDOW (window);	4206	struct window *w = XWINDOW (window);
4207	struct frame *f = XFRAME (w->frame);	4207	struct frame *f = XFRAME (w->frame);
4208	size_t i;	4208	ptrdiff_t i;
4209		4209
4210	BLOCK_INPUT;	4210	BLOCK_INPUT;
4211		4211
@@ -4226,12 +4226,16 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole)
4226		4226
4227	if (i == scroll_bar_windows_size)	4227	if (i == scroll_bar_windows_size)
4228	{	4228	{
4229	size_t new_size = max (10, 2 * scroll_bar_windows_size);	4229	ptrdiff_t new_size, old_nbytes, nbytes;
4230	size_t nbytes = new_size * sizeof *scroll_bar_windows;	4230	/* Check the 32-bit XClientMessageEvent limit, as well as the
4231	size_t old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows;	4231	usual ptrdiff_t/size_t limit. */
4232		4232	if (min (0x7fffffff,
4233	if ((size_t) -1 / sizeof *scroll_bar_windows < new_size)	4233	min (PTRDIFF_MAX, SIZE_MAX) / sizeof *scroll_bar_windows / 2)
		4234	< scroll_bar_windows_size)
4234	memory_full (SIZE_MAX);	4235	memory_full (SIZE_MAX);
		4236	new_size = max (10, 2 * scroll_bar_windows_size);
		4237	nbytes = new_size * sizeof *scroll_bar_windows;
		4238	old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows;
4235	scroll_bar_windows = (struct window **) xrealloc (scroll_bar_windows,	4239	scroll_bar_windows = (struct window **) xrealloc (scroll_bar_windows,
4236	nbytes);	4240	nbytes);
4237	memset (&scroll_bar_windows[i], 0, nbytes - old_nbytes);	4241	memset (&scroll_bar_windows[i], 0, nbytes - old_nbytes);