aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPaul Eggert2011-07-28 13:28:33 -0700
committerPaul Eggert2011-07-28 13:28:33 -0700
commit6e1fc4528b8dcb84ba7d173f6c350cfba5385634 (patch)
tree26c7a743d214aa54860fb62a689ba311d7ffc646 /src
parentbc18e09ddf639fbd59e6d2ef238fdaf4e31fb6a3 (diff)
downloademacs-6e1fc4528b8dcb84ba7d173f6c350cfba5385634.tar.gz
emacs-6e1fc4528b8dcb84ba7d173f6c350cfba5385634.zip
* buffer.c: Memory overflow fixes.
(overlays_at, overlays_in, record_overlay_string, overlay_strings): Don't update size of array until after memory allocation succeeds, because xmalloc/xrealloc may not return.
Diffstat (limited to 'src')
-rw-r--r--src/ChangeLog5
-rw-r--r--src/buffer.c21
2 files changed, 14 insertions, 12 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 0d5b41ea205..ff5dfc09330 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,10 @@
12011-07-28 Paul Eggert <eggert@cs.ucla.edu> 12011-07-28 Paul Eggert <eggert@cs.ucla.edu>
2 2
3 * buffer.c: Memory overflow fixes.
4 (overlays_at, overlays_in, record_overlay_string, overlay_strings):
5 Don't update size of array until after memory allocation succeeds,
6 because xmalloc/xrealloc may not return.
7
3 * bidi.c: Integer overflow fix. 8 * bidi.c: Integer overflow fix.
4 (bidi_shelve_header_size): New constant. 9 (bidi_shelve_header_size): New constant.
5 (bidi_cache_ensure_space, bidi_shelve_cache): Use it. 10 (bidi_cache_ensure_space, bidi_shelve_cache): Use it.
diff --git a/src/buffer.c b/src/buffer.c
index a40275db8de..fc9d3b5bd40 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2572,9 +2572,9 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
2572 memory_full (SIZE_MAX); 2572 memory_full (SIZE_MAX);
2573 /* Make it work with an initial len == 0. */ 2573 /* Make it work with an initial len == 0. */
2574 len = len * 2 + 4; 2574 len = len * 2 + 4;
2575 *len_ptr = len;
2576 vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); 2575 vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
2577 *vec_ptr = vec; 2576 *vec_ptr = vec;
2577 *len_ptr = len;
2578 } 2578 }
2579 else 2579 else
2580 inhibit_storing = 1; 2580 inhibit_storing = 1;
@@ -2615,9 +2615,9 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
2615 memory_full (SIZE_MAX); 2615 memory_full (SIZE_MAX);
2616 /* Make it work with an initial len == 0. */ 2616 /* Make it work with an initial len == 0. */
2617 len = len * 2 + 4; 2617 len = len * 2 + 4;
2618 *len_ptr = len;
2619 vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); 2618 vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
2620 *vec_ptr = vec; 2619 *vec_ptr = vec;
2620 *len_ptr = len;
2621 } 2621 }
2622 else 2622 else
2623 inhibit_storing = 1; 2623 inhibit_storing = 1;
@@ -2712,9 +2712,9 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
2712 memory_full (SIZE_MAX); 2712 memory_full (SIZE_MAX);
2713 /* Make it work with an initial len == 0. */ 2713 /* Make it work with an initial len == 0. */
2714 len = len * 2 + 4; 2714 len = len * 2 + 4;
2715 *len_ptr = len;
2716 vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); 2715 vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
2717 *vec_ptr = vec; 2716 *vec_ptr = vec;
2717 *len_ptr = len;
2718 } 2718 }
2719 else 2719 else
2720 inhibit_storing = 1; 2720 inhibit_storing = 1;
@@ -2760,9 +2760,9 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
2760 memory_full (SIZE_MAX); 2760 memory_full (SIZE_MAX);
2761 /* Make it work with an initial len == 0. */ 2761 /* Make it work with an initial len == 0. */
2762 len = len * 2 + 4; 2762 len = len * 2 + 4;
2763 *len_ptr = len;
2764 vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object)); 2763 vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
2765 *vec_ptr = vec; 2764 *vec_ptr = vec;
2765 *len_ptr = len;
2766 } 2766 }
2767 else 2767 else
2768 inhibit_storing = 1; 2768 inhibit_storing = 1;
@@ -2978,15 +2978,12 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
2978 2978
2979 if (ssl->used == ssl->size) 2979 if (ssl->used == ssl->size)
2980 { 2980 {
2981 if (min (PTRDIFF_MAX, SIZE_MAX) / (sizeof (struct sortstr) * 2) 2981 ptrdiff_t ssl_size = 0 < ssl->size ? ssl->size * 2 : 5;
2982 < ssl->size) 2982 if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (struct sortstr) < ssl_size)
2983 memory_full (SIZE_MAX); 2983 memory_full (SIZE_MAX);
2984 else if (0 < ssl->size)
2985 ssl->size *= 2;
2986 else
2987 ssl->size = 5;
2988 ssl->buf = ((struct sortstr *) 2984 ssl->buf = ((struct sortstr *)
2989 xrealloc (ssl->buf, ssl->size * sizeof (struct sortstr))); 2985 xrealloc (ssl->buf, ssl_size * sizeof (struct sortstr)));
2986 ssl->size = ssl_size;
2990 } 2987 }
2991 ssl->buf[ssl->used].string = str; 2988 ssl->buf[ssl->used].string = str;
2992 ssl->buf[ssl->used].string2 = str2; 2989 ssl->buf[ssl->used].string2 = str2;
@@ -3111,9 +3108,9 @@ overlay_strings (EMACS_INT pos, struct window *w, unsigned char **pstr)
3111 3108
3112 if (total > overlay_str_len) 3109 if (total > overlay_str_len)
3113 { 3110 {
3114 overlay_str_len = total;
3115 overlay_str_buf = (unsigned char *)xrealloc (overlay_str_buf, 3111 overlay_str_buf = (unsigned char *)xrealloc (overlay_str_buf,
3116 total); 3112 total);
3113 overlay_str_len = total;
3117 } 3114 }
3118 p = overlay_str_buf; 3115 p = overlay_str_buf;
3119 for (i = overlay_tails.used; --i >= 0;) 3116 for (i = overlay_tails.used; --i >= 0;)
generated by cgit v1.2.1 (git 2.18.0) at 2026-01-19 00:14:51 +0000