diff options
| author | Paul Eggert | 2011-06-22 15:36:19 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-06-22 15:36:19 -0700 |
| commit | bfbbd7e7528f1f4928c305b65ec0f9c55ed628a2 (patch) | |
| tree | bb5ee955e08b1d6da819e632fef0b90bcdfee38f /src | |
| parent | 297dde5a97c0c5c8020db72213c7f84067f1ee21 (diff) | |
| download | emacs-bfbbd7e7528f1f4928c305b65ec0f9c55ed628a2.tar.gz emacs-bfbbd7e7528f1f4928c305b65ec0f9c55ed628a2.zip | |
* lread.c: Integer overflow issues.
(saved_doc_string_size, saved_doc_string_length)
(prev_saved_doc_string_size, prev_saved_doc_string_length):
Now ptrdiff_t, not int.
(read1): Don't assume doc string length fits in int. Check for
out-of-range doc string lengths.
(read_list): Don't assume file position fits in int.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ChangeLog | 8 | ||||
| -rw-r--r-- | src/lread.c | 23 |
2 files changed, 21 insertions, 10 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index 78fca60ca28..f0a48ed75ab 100644 --- a/src/ChangeLog +++ b/src/ChangeLog | |||
| @@ -1,5 +1,13 @@ | |||
| 1 | 2011-06-22 Paul Eggert <eggert@cs.ucla.edu> | 1 | 2011-06-22 Paul Eggert <eggert@cs.ucla.edu> |
| 2 | 2 | ||
| 3 | * lread.c: Integer overflow issues. | ||
| 4 | (saved_doc_string_size, saved_doc_string_length) | ||
| 5 | (prev_saved_doc_string_size, prev_saved_doc_string_length): | ||
| 6 | Now ptrdiff_t, not int. | ||
| 7 | (read1): Don't assume doc string length fits in int. Check for | ||
| 8 | out-of-range doc string lengths. | ||
| 9 | (read_list): Don't assume file position fits in int. | ||
| 10 | |||
| 3 | Fixes for GLYPH_DEBUG found by GCC 4.6.0 static checking. | 11 | Fixes for GLYPH_DEBUG found by GCC 4.6.0 static checking. |
| 4 | The following patches are for when GLYPH_DEBUG && !XASSERT. | 12 | The following patches are for when GLYPH_DEBUG && !XASSERT. |
| 5 | * dispextern.h (trace_redisplay_p, dump_glyph_string): | 13 | * dispextern.h (trace_redisplay_p, dump_glyph_string): |
diff --git a/src/lread.c b/src/lread.c index e75d61ae985..42ddbfd188d 100644 --- a/src/lread.c +++ b/src/lread.c | |||
| @@ -120,9 +120,9 @@ static EMACS_INT readchar_count; | |||
| 120 | /* This contains the last string skipped with #@. */ | 120 | /* This contains the last string skipped with #@. */ |
| 121 | static char *saved_doc_string; | 121 | static char *saved_doc_string; |
| 122 | /* Length of buffer allocated in saved_doc_string. */ | 122 | /* Length of buffer allocated in saved_doc_string. */ |
| 123 | static int saved_doc_string_size; | 123 | static ptrdiff_t saved_doc_string_size; |
| 124 | /* Length of actual data in saved_doc_string. */ | 124 | /* Length of actual data in saved_doc_string. */ |
| 125 | static int saved_doc_string_length; | 125 | static ptrdiff_t saved_doc_string_length; |
| 126 | /* This is the file position that string came from. */ | 126 | /* This is the file position that string came from. */ |
| 127 | static file_offset saved_doc_string_position; | 127 | static file_offset saved_doc_string_position; |
| 128 | 128 | ||
| @@ -131,9 +131,9 @@ static file_offset saved_doc_string_position; | |||
| 131 | is put in saved_doc_string. */ | 131 | is put in saved_doc_string. */ |
| 132 | static char *prev_saved_doc_string; | 132 | static char *prev_saved_doc_string; |
| 133 | /* Length of buffer allocated in prev_saved_doc_string. */ | 133 | /* Length of buffer allocated in prev_saved_doc_string. */ |
| 134 | static int prev_saved_doc_string_size; | 134 | static ptrdiff_t prev_saved_doc_string_size; |
| 135 | /* Length of actual data in prev_saved_doc_string. */ | 135 | /* Length of actual data in prev_saved_doc_string. */ |
| 136 | static int prev_saved_doc_string_length; | 136 | static ptrdiff_t prev_saved_doc_string_length; |
| 137 | /* This is the file position that string came from. */ | 137 | /* This is the file position that string came from. */ |
| 138 | static file_offset prev_saved_doc_string_position; | 138 | static file_offset prev_saved_doc_string_position; |
| 139 | 139 | ||
| @@ -2569,13 +2569,16 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list) | |||
| 2569 | and function definitions. */ | 2569 | and function definitions. */ |
| 2570 | if (c == '@') | 2570 | if (c == '@') |
| 2571 | { | 2571 | { |
| 2572 | int i, nskip = 0; | 2572 | enum { extra = 100 }; |
| 2573 | ptrdiff_t i, nskip = 0; | ||
| 2573 | 2574 | ||
| 2574 | load_each_byte = 1; | 2575 | load_each_byte = 1; |
| 2575 | /* Read a decimal integer. */ | 2576 | /* Read a decimal integer. */ |
| 2576 | while ((c = READCHAR) >= 0 | 2577 | while ((c = READCHAR) >= 0 |
| 2577 | && c >= '0' && c <= '9') | 2578 | && c >= '0' && c <= '9') |
| 2578 | { | 2579 | { |
| 2580 | if ((STRING_BYTES_BOUND - extra) / 10 <= nskip) | ||
| 2581 | string_overflow (); | ||
| 2579 | nskip *= 10; | 2582 | nskip *= 10; |
| 2580 | nskip += c - '0'; | 2583 | nskip += c - '0'; |
| 2581 | } | 2584 | } |
| @@ -2594,9 +2597,9 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list) | |||
| 2594 | with prev_saved_doc_string, so we save two strings. */ | 2597 | with prev_saved_doc_string, so we save two strings. */ |
| 2595 | { | 2598 | { |
| 2596 | char *temp = saved_doc_string; | 2599 | char *temp = saved_doc_string; |
| 2597 | int temp_size = saved_doc_string_size; | 2600 | ptrdiff_t temp_size = saved_doc_string_size; |
| 2598 | file_offset temp_pos = saved_doc_string_position; | 2601 | file_offset temp_pos = saved_doc_string_position; |
| 2599 | int temp_len = saved_doc_string_length; | 2602 | ptrdiff_t temp_len = saved_doc_string_length; |
| 2600 | 2603 | ||
| 2601 | saved_doc_string = prev_saved_doc_string; | 2604 | saved_doc_string = prev_saved_doc_string; |
| 2602 | saved_doc_string_size = prev_saved_doc_string_size; | 2605 | saved_doc_string_size = prev_saved_doc_string_size; |
| @@ -2611,12 +2614,12 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list) | |||
| 2611 | 2614 | ||
| 2612 | if (saved_doc_string_size == 0) | 2615 | if (saved_doc_string_size == 0) |
| 2613 | { | 2616 | { |
| 2614 | saved_doc_string_size = nskip + 100; | 2617 | saved_doc_string_size = nskip + extra; |
| 2615 | saved_doc_string = (char *) xmalloc (saved_doc_string_size); | 2618 | saved_doc_string = (char *) xmalloc (saved_doc_string_size); |
| 2616 | } | 2619 | } |
| 2617 | if (nskip > saved_doc_string_size) | 2620 | if (nskip > saved_doc_string_size) |
| 2618 | { | 2621 | { |
| 2619 | saved_doc_string_size = nskip + 100; | 2622 | saved_doc_string_size = nskip + extra; |
| 2620 | saved_doc_string = (char *) xrealloc (saved_doc_string, | 2623 | saved_doc_string = (char *) xrealloc (saved_doc_string, |
| 2621 | saved_doc_string_size); | 2624 | saved_doc_string_size); |
| 2622 | } | 2625 | } |
| @@ -3528,7 +3531,7 @@ read_list (int flag, register Lisp_Object readcharfun) | |||
| 3528 | doc string, caller must make it | 3531 | doc string, caller must make it |
| 3529 | multibyte. */ | 3532 | multibyte. */ |
| 3530 | 3533 | ||
| 3531 | int pos = XINT (XCDR (val)); | 3534 | EMACS_INT pos = XINT (XCDR (val)); |
| 3532 | /* Position is negative for user variables. */ | 3535 | /* Position is negative for user variables. */ |
| 3533 | if (pos < 0) pos = -pos; | 3536 | if (pos < 0) pos = -pos; |
| 3534 | if (pos >= saved_doc_string_position | 3537 | if (pos >= saved_doc_string_position |