diff options
| author | Paul Eggert | 2011-07-28 18:52:29 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-07-28 18:52:29 -0700 |
| commit | b7b603a0dca7695a852db57f8983bc0239f49678 (patch) | |
| tree | 1ce32b01de38b435aa8cf22fe32ba33003bc202f /src | |
| parent | a5a5cbd4e3e55e5dd2afc6826f572c8520350855 (diff) | |
| download | emacs-b7b603a0dca7695a852db57f8983bc0239f49678.tar.gz emacs-b7b603a0dca7695a852db57f8983bc0239f49678.zip | |
* xfaces.c: Integer and memory overflow fixes.
(Finternal_make_lisp_face): Use ptrdiff_t, not int, for sizes.
Check for size calculation overflow.
(cache_face): Do not overflow in size calculation.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ChangeLog | 5 | ||||
| -rw-r--r-- | src/xfaces.c | 14 |
2 files changed, 16 insertions, 3 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index a7bc6bdd461..3ac8c562a52 100644 --- a/src/ChangeLog +++ b/src/ChangeLog | |||
| @@ -1,5 +1,10 @@ | |||
| 1 | 2011-07-29 Paul Eggert <eggert@cs.ucla.edu> | 1 | 2011-07-29 Paul Eggert <eggert@cs.ucla.edu> |
| 2 | 2 | ||
| 3 | * xfaces.c: Integer and memory overflow fixes. | ||
| 4 | (Finternal_make_lisp_face): Use ptrdiff_t, not int, for sizes. | ||
| 5 | Check for size calculation overflow. | ||
| 6 | (cache_face): Do not overflow in size calculation. | ||
| 7 | |||
| 3 | * xdisp.c: Integer and memory overflow fixes. | 8 | * xdisp.c: Integer and memory overflow fixes. |
| 4 | (store_mode_line_noprop_char, x_consider_frame_title): | 9 | (store_mode_line_noprop_char, x_consider_frame_title): |
| 5 | Use ptrdiff_t, not int, for sizes. | 10 | Use ptrdiff_t, not int, for sizes. |
diff --git a/src/xfaces.c b/src/xfaces.c index e0dc2883f33..996bcdaf6ad 100644 --- a/src/xfaces.c +++ b/src/xfaces.c | |||
| @@ -2667,8 +2667,13 @@ Value is a vector of face attributes. */) | |||
| 2667 | property `face' of the Lisp face name. */ | 2667 | property `face' of the Lisp face name. */ |
| 2668 | if (next_lface_id == lface_id_to_name_size) | 2668 | if (next_lface_id == lface_id_to_name_size) |
| 2669 | { | 2669 | { |
| 2670 | int new_size = max (50, 2 * lface_id_to_name_size); | 2670 | ptrdiff_t new_size, sz; |
| 2671 | int sz = new_size * sizeof *lface_id_to_name; | 2671 | if (min (min (PTRDIFF_MAX, SIZE_MAX) / 2 / sizeof *lface_id_to_name, |
| 2672 | MOST_POSITIVE_FIXNUM) | ||
| 2673 | < lface_id_to_name_size) | ||
| 2674 | memory_full (SIZE_MAX); | ||
| 2675 | new_size = max (50, 2 * lface_id_to_name_size); | ||
| 2676 | sz = new_size * sizeof *lface_id_to_name; | ||
| 2672 | lface_id_to_name = (Lisp_Object *) xrealloc (lface_id_to_name, sz); | 2677 | lface_id_to_name = (Lisp_Object *) xrealloc (lface_id_to_name, sz); |
| 2673 | lface_id_to_name_size = new_size; | 2678 | lface_id_to_name_size = new_size; |
| 2674 | } | 2679 | } |
| @@ -4411,7 +4416,10 @@ cache_face (struct face_cache *c, struct face *face, unsigned int hash) | |||
| 4411 | if (c->used == c->size) | 4416 | if (c->used == c->size) |
| 4412 | { | 4417 | { |
| 4413 | int new_size, sz; | 4418 | int new_size, sz; |
| 4414 | new_size = min (2 * c->size, MAX_FACE_ID); | 4419 | new_size = |
| 4420 | min (2 * c->size, | ||
| 4421 | min (MAX_FACE_ID, | ||
| 4422 | min (PTRDIFF_MAX, SIZE_MAX) / sizeof *c->faces_by_id)); | ||
| 4415 | if (new_size == c->size) | 4423 | if (new_size == c->size) |
| 4416 | abort (); /* Alternatives? ++kfs */ | 4424 | abort (); /* Alternatives? ++kfs */ |
| 4417 | sz = new_size * sizeof *c->faces_by_id; | 4425 | sz = new_size * sizeof *c->faces_by_id; |