diff options
| author | Paul Eggert | 2011-06-22 23:31:41 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-06-22 23:31:41 -0700 |
| commit | 6d84508d181fec22ef538b5a6ba7e2072d1de8e7 (patch) | |
| tree | ef8d0592e00b9122e5a0762e6c0a42191fab5e73 /src | |
| parent | 20270765bee11c46dc5a16ccca169751ce4e89ea (diff) | |
| download | emacs-6d84508d181fec22ef538b5a6ba7e2072d1de8e7.tar.gz emacs-6d84508d181fec22ef538b5a6ba7e2072d1de8e7.zip | |
* macros.c: Integer and buffer overflow fixes.
* keyboard.h (struct keyboard.kbd_macro_bufsize):
* macros.c (Fstart_kbd_macro, store_kbd_macro_char):
Use ptrdiff_t, not int, for sizes.
Don't increment bufsize until after realloc succeeds.
Check for size-calculation overflow.
(Fstart_kbd_macro): Use EMACS_INT, not int, for XINT result.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ChangeLog | 8 | ||||
| -rw-r--r-- | src/keyboard.h | 2 | ||||
| -rw-r--r-- | src/macros.c | 19 |
3 files changed, 22 insertions, 7 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index 1e9cf82d1ac..c3eaaa4ff2d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog | |||
| @@ -1,5 +1,13 @@ | |||
| 1 | 2011-06-23 Paul Eggert <eggert@cs.ucla.edu> | 1 | 2011-06-23 Paul Eggert <eggert@cs.ucla.edu> |
| 2 | 2 | ||
| 3 | * macros.c: Integer and buffer overflow fixes. | ||
| 4 | * keyboard.h (struct keyboard.kbd_macro_bufsize): | ||
| 5 | * macros.c (Fstart_kbd_macro, store_kbd_macro_char): | ||
| 6 | Use ptrdiff_t, not int, for sizes. | ||
| 7 | Don't increment bufsize until after realloc succeeds. | ||
| 8 | Check for size-calculation overflow. | ||
| 9 | (Fstart_kbd_macro): Use EMACS_INT, not int, for XINT result. | ||
| 10 | |||
| 3 | * lisp.h (DEFVAR_KBOARD): Use offsetof instead of char * finagling. | 11 | * lisp.h (DEFVAR_KBOARD): Use offsetof instead of char * finagling. |
| 4 | 12 | ||
| 5 | * lread.c: Integer overflow fixes. | 13 | * lread.c: Integer overflow fixes. |
diff --git a/src/keyboard.h b/src/keyboard.h index 20763c35f3a..91008a3ea24 100644 --- a/src/keyboard.h +++ b/src/keyboard.h | |||
| @@ -123,7 +123,7 @@ struct kboard | |||
| 123 | Lisp_Object *kbd_macro_end; | 123 | Lisp_Object *kbd_macro_end; |
| 124 | 124 | ||
| 125 | /* Allocated size of kbd_macro_buffer. */ | 125 | /* Allocated size of kbd_macro_buffer. */ |
| 126 | int kbd_macro_bufsize; | 126 | ptrdiff_t kbd_macro_bufsize; |
| 127 | 127 | ||
| 128 | /* Last anonymous kbd macro defined. */ | 128 | /* Last anonymous kbd macro defined. */ |
| 129 | Lisp_Object KBOARD_INTERNAL_FIELD (Vlast_kbd_macro); | 129 | Lisp_Object KBOARD_INTERNAL_FIELD (Vlast_kbd_macro); |
diff --git a/src/macros.c b/src/macros.c index 3523e513d6a..ea33dbf2d2c 100644 --- a/src/macros.c +++ b/src/macros.c | |||
| @@ -71,10 +71,10 @@ macro before appending to it. */) | |||
| 71 | { | 71 | { |
| 72 | if (current_kboard->kbd_macro_bufsize > 200) | 72 | if (current_kboard->kbd_macro_bufsize > 200) |
| 73 | { | 73 | { |
| 74 | current_kboard->kbd_macro_bufsize = 30; | ||
| 75 | current_kboard->kbd_macro_buffer | 74 | current_kboard->kbd_macro_buffer |
| 76 | = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer, | 75 | = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer, |
| 77 | 30 * sizeof (Lisp_Object)); | 76 | 30 * sizeof (Lisp_Object)); |
| 77 | current_kboard->kbd_macro_bufsize = 30; | ||
| 78 | } | 78 | } |
| 79 | current_kboard->kbd_macro_ptr = current_kboard->kbd_macro_buffer; | 79 | current_kboard->kbd_macro_ptr = current_kboard->kbd_macro_buffer; |
| 80 | current_kboard->kbd_macro_end = current_kboard->kbd_macro_buffer; | 80 | current_kboard->kbd_macro_end = current_kboard->kbd_macro_buffer; |
| @@ -82,7 +82,8 @@ macro before appending to it. */) | |||
| 82 | } | 82 | } |
| 83 | else | 83 | else |
| 84 | { | 84 | { |
| 85 | int i, len; | 85 | ptrdiff_t i; |
| 86 | EMACS_INT len; | ||
| 86 | int cvt; | 87 | int cvt; |
| 87 | 88 | ||
| 88 | /* Check the type of last-kbd-macro in case Lisp code changed it. */ | 89 | /* Check the type of last-kbd-macro in case Lisp code changed it. */ |
| @@ -94,10 +95,13 @@ macro before appending to it. */) | |||
| 94 | has put another macro there. */ | 95 | has put another macro there. */ |
| 95 | if (current_kboard->kbd_macro_bufsize < len + 30) | 96 | if (current_kboard->kbd_macro_bufsize < len + 30) |
| 96 | { | 97 | { |
| 97 | current_kboard->kbd_macro_bufsize = len + 30; | 98 | if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (Lisp_Object) - 30 |
| 99 | < current_kboard->kbd_macro_bufsize) | ||
| 100 | memory_full (SIZE_MAX); | ||
| 98 | current_kboard->kbd_macro_buffer | 101 | current_kboard->kbd_macro_buffer |
| 99 | = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer, | 102 | = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer, |
| 100 | (len + 30) * sizeof (Lisp_Object)); | 103 | (len + 30) * sizeof (Lisp_Object)); |
| 104 | current_kboard->kbd_macro_bufsize = len + 30; | ||
| 101 | } | 105 | } |
| 102 | 106 | ||
| 103 | /* Must convert meta modifier when copying string to vector. */ | 107 | /* Must convert meta modifier when copying string to vector. */ |
| @@ -191,14 +195,17 @@ store_kbd_macro_char (Lisp_Object c) | |||
| 191 | { | 195 | { |
| 192 | if (kb->kbd_macro_ptr - kb->kbd_macro_buffer == kb->kbd_macro_bufsize) | 196 | if (kb->kbd_macro_ptr - kb->kbd_macro_buffer == kb->kbd_macro_bufsize) |
| 193 | { | 197 | { |
| 194 | int ptr_offset, end_offset, nbytes; | 198 | ptrdiff_t ptr_offset, end_offset, nbytes; |
| 195 | 199 | ||
| 196 | ptr_offset = kb->kbd_macro_ptr - kb->kbd_macro_buffer; | 200 | ptr_offset = kb->kbd_macro_ptr - kb->kbd_macro_buffer; |
| 197 | end_offset = kb->kbd_macro_end - kb->kbd_macro_buffer; | 201 | end_offset = kb->kbd_macro_end - kb->kbd_macro_buffer; |
| 198 | kb->kbd_macro_bufsize *= 2; | 202 | if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *kb->kbd_macro_buffer / 2 |
| 199 | nbytes = kb->kbd_macro_bufsize * sizeof *kb->kbd_macro_buffer; | 203 | < kb->kbd_macro_bufsize) |
| 204 | memory_full (SIZE_MAX); | ||
| 205 | nbytes = kb->kbd_macro_bufsize * 2 * sizeof *kb->kbd_macro_buffer; | ||
| 200 | kb->kbd_macro_buffer | 206 | kb->kbd_macro_buffer |
| 201 | = (Lisp_Object *) xrealloc (kb->kbd_macro_buffer, nbytes); | 207 | = (Lisp_Object *) xrealloc (kb->kbd_macro_buffer, nbytes); |
| 208 | kb->kbd_macro_bufsize *= 2; | ||
| 202 | kb->kbd_macro_ptr = kb->kbd_macro_buffer + ptr_offset; | 209 | kb->kbd_macro_ptr = kb->kbd_macro_buffer + ptr_offset; |
| 203 | kb->kbd_macro_end = kb->kbd_macro_buffer + end_offset; | 210 | kb->kbd_macro_end = kb->kbd_macro_buffer + end_offset; |
| 204 | } | 211 | } |