* ccl.c (ccl_driver, Fregister_code_conversion_map): Check that Vcode_version_map_vector is a vector.

author: Paul Eggert 2011-09-27 08:56:04 -0700
committer: Paul Eggert 2011-09-27 08:56:04 -0700
commit: c801946a9290fe742d87053615495e68d04ec6be (patch)
tree: 1404a9de0353948071734ceb998205deba409934 /src
parent: d99fb284f7ccb502ce12d7bd96350d0e2d3af1b4 (diff)
download: emacs-c801946a9290fe742d87053615495e68d04ec6be.tar.gz
emacs-c801946a9290fe742d87053615495e68d04ec6be.zip
2 files changed, 16 insertions, 5 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 9857461143a..696123c6c1d 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,4 +1,4 @@
-2011-09-26  Paul Eggert  <eggert@cs.ucla.edu>
+2011-09-27  Paul Eggert  <eggert@cs.ucla.edu>
        * alloc.c (pure_bytes_used_lisp, pure_bytes_used_non_lisp):
        (allocate_vectorlike, buffer_memory_full, struct sdata, SDATA_SIZE)
@@ -75,6 +75,8 @@
        (ccl_driver):
        Use ptrdiff_t, not EMACS_INT, where ptrdiff_t is wide enough.
        For CCL_MapSingle, check that content and value are in int range.
+        (ccl_driver, Fregister_code_conversion_map):
+        Check that Vcode_version_map_vector is a vector.
        (resolve_symbol_ccl_program): Check that vector header is in range.
        Always copy the vector, so that we can check its contents reliably
        now rather than having to recheck each instruction as it's being
diff --git a/src/ccl.c b/src/ccl.c
index ffd412bba3e..4764fa0f5b5 100644
--- a/src/ccl.c
+++ b/src/ccl.c
@@ -1371,7 +1371,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
                for (;i < j;i++)
                  {
+                    if (!VECTORP (Vcode_conversion_map_vector)) continue;
                    size = ASIZE (Vcode_conversion_map_vector);
                    point = XINT (ccl_prog[ic++]);
                    if (! (0 <= point && point < size)) continue;
@@ -1447,7 +1447,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
            case CCL_MapMultiple:
              {
                Lisp_Object map, content, attrib, value;
-                int point, size, map_vector_size;
+                EMACS_INT point;
+                ptrdiff_t size, map_vector_size;
                int map_set_rest_length, fin_ic;
                int current_ic = this_ic;
@@ -1530,6 +1531,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
                        break;
                      }
                  }
+                if (!VECTORP (Vcode_conversion_map_vector))
+                  CCL_INVALID_CMD;
                map_vector_size = ASIZE (Vcode_conversion_map_vector);
                do {
@@ -1652,7 +1655,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
                int point;
                j = XINT (ccl_prog[ic++]); /* map_id */
                op = reg[rrr];
-                if (j >= ASIZE (Vcode_conversion_map_vector))
+                if (! (VECTORP (Vcode_conversion_map_vector)
+                       && j < ASIZE (Vcode_conversion_map_vector)))
                  {
                    reg[RRR] = -1;
                    break;
@@ -1665,6 +1669,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
                  }
                map = XCDR (map);
                if (! (VECTORP (map)
+                       && 0 < ASIZE (map)
                       && INTEGERP (AREF (map, 0))
                       && XINT (AREF (map, 0)) <= op
                       && op - XINT (AREF (map, 0)) + 1 < ASIZE (map)))
@@ -2257,12 +2262,16 @@ DEFUN ("register-code-conversion-map", Fregister_code_conversion_map,
 Return index number of the registered map.  */)
  (Lisp_Object symbol, Lisp_Object map)
 {
-  ptrdiff_t len = ASIZE (Vcode_conversion_map_vector);
+  ptrdiff_t len;
  ptrdiff_t i;
  Lisp_Object idx;
  CHECK_SYMBOL (symbol);
  CHECK_VECTOR (map);
+  if (! VECTORP (Vcode_conversion_map_vector))
+    error ("Invalid code-conversion-map-vector");
+  len = ASIZE (Vcode_conversion_map_vector);
  for (i = 0; i < len; i++)
    {
author	Paul Eggert	2011-09-27 08:56:04 -0700
committer	Paul Eggert	2011-09-27 08:56:04 -0700
commit	c801946a9290fe742d87053615495e68d04ec6be (patch)
tree	1404a9de0353948071734ceb998205deba409934 /src
parent	d99fb284f7ccb502ce12d7bd96350d0e2d3af1b4 (diff)
download	emacs-c801946a9290fe742d87053615495e68d04ec6be.tar.gz emacs-c801946a9290fe742d87053615495e68d04ec6be.zip

diff --git a/src/ChangeLog b/src/ChangeLog index 9857461143a..696123c6c1d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,4 +1,4 @@
1	2011-09-26 Paul Eggert <eggert@cs.ucla.edu>	1	2011-09-27 Paul Eggert <eggert@cs.ucla.edu>
2		2
3	* alloc.c (pure_bytes_used_lisp, pure_bytes_used_non_lisp):	3	* alloc.c (pure_bytes_used_lisp, pure_bytes_used_non_lisp):
4	(allocate_vectorlike, buffer_memory_full, struct sdata, SDATA_SIZE)	4	(allocate_vectorlike, buffer_memory_full, struct sdata, SDATA_SIZE)
@@ -75,6 +75,8 @@
75	(ccl_driver):	75	(ccl_driver):
76	Use ptrdiff_t, not EMACS_INT, where ptrdiff_t is wide enough.	76	Use ptrdiff_t, not EMACS_INT, where ptrdiff_t is wide enough.
77	For CCL_MapSingle, check that content and value are in int range.	77	For CCL_MapSingle, check that content and value are in int range.
		78	(ccl_driver, Fregister_code_conversion_map):
		79	Check that Vcode_version_map_vector is a vector.
78	(resolve_symbol_ccl_program): Check that vector header is in range.	80	(resolve_symbol_ccl_program): Check that vector header is in range.
79	Always copy the vector, so that we can check its contents reliably	81	Always copy the vector, so that we can check its contents reliably
80	now rather than having to recheck each instruction as it's being	82	now rather than having to recheck each instruction as it's being


diff --git a/src/ccl.c b/src/ccl.c index ffd412bba3e..4764fa0f5b5 100644 --- a/src/ccl.c +++ b/src/ccl.c
@@ -1371,7 +1371,7 @@ ccl_driver (struct ccl_program ccl, int source, int *destination, int src_size
1371		1371
1372	for (;i < j;i++)	1372	for (;i < j;i++)
1373	{	1373	{
1374		1374	if (!VECTORP (Vcode_conversion_map_vector)) continue;
1375	size = ASIZE (Vcode_conversion_map_vector);	1375	size = ASIZE (Vcode_conversion_map_vector);
1376	point = XINT (ccl_prog[ic++]);	1376	point = XINT (ccl_prog[ic++]);
1377	if (! (0 <= point && point < size)) continue;	1377	if (! (0 <= point && point < size)) continue;
@@ -1447,7 +1447,8 @@ ccl_driver (struct ccl_program ccl, int source, int *destination, int src_size
1447	case CCL_MapMultiple:	1447	case CCL_MapMultiple:
1448	{	1448	{
1449	Lisp_Object map, content, attrib, value;	1449	Lisp_Object map, content, attrib, value;
1450	int point, size, map_vector_size;	1450	EMACS_INT point;
		1451	ptrdiff_t size, map_vector_size;
1451	int map_set_rest_length, fin_ic;	1452	int map_set_rest_length, fin_ic;
1452	int current_ic = this_ic;	1453	int current_ic = this_ic;
1453		1454
@@ -1530,6 +1531,8 @@ ccl_driver (struct ccl_program ccl, int source, int *destination, int src_size
1530	break;	1531	break;
1531	}	1532	}
1532	}	1533	}
		1534	if (!VECTORP (Vcode_conversion_map_vector))
		1535	CCL_INVALID_CMD;
1533	map_vector_size = ASIZE (Vcode_conversion_map_vector);	1536	map_vector_size = ASIZE (Vcode_conversion_map_vector);
1534		1537
1535	do {	1538	do {
@@ -1652,7 +1655,8 @@ ccl_driver (struct ccl_program ccl, int source, int *destination, int src_size
1652	int point;	1655	int point;
1653	j = XINT (ccl_prog[ic++]); /* map_id */	1656	j = XINT (ccl_prog[ic++]); /* map_id */
1654	op = reg[rrr];	1657	op = reg[rrr];
1655	if (j >= ASIZE (Vcode_conversion_map_vector))	1658	if (! (VECTORP (Vcode_conversion_map_vector)
		1659	&& j < ASIZE (Vcode_conversion_map_vector)))
1656	{	1660	{
1657	reg[RRR] = -1;	1661	reg[RRR] = -1;
1658	break;	1662	break;
@@ -1665,6 +1669,7 @@ ccl_driver (struct ccl_program ccl, int source, int *destination, int src_size
1665	}	1669	}
1666	map = XCDR (map);	1670	map = XCDR (map);
1667	if (! (VECTORP (map)	1671	if (! (VECTORP (map)
		1672	&& 0 < ASIZE (map)
1668	&& INTEGERP (AREF (map, 0))	1673	&& INTEGERP (AREF (map, 0))
1669	&& XINT (AREF (map, 0)) <= op	1674	&& XINT (AREF (map, 0)) <= op
1670	&& op - XINT (AREF (map, 0)) + 1 < ASIZE (map)))	1675	&& op - XINT (AREF (map, 0)) + 1 < ASIZE (map)))
@@ -2257,12 +2262,16 @@ DEFUN ("register-code-conversion-map", Fregister_code_conversion_map,
2257	Return index number of the registered map. */)	2262	Return index number of the registered map. */)
2258	(Lisp_Object symbol, Lisp_Object map)	2263	(Lisp_Object symbol, Lisp_Object map)
2259	{	2264	{
2260	ptrdiff_t len = ASIZE (Vcode_conversion_map_vector);	2265	ptrdiff_t len;
2261	ptrdiff_t i;	2266	ptrdiff_t i;
2262	Lisp_Object idx;	2267	Lisp_Object idx;
2263		2268
2264	CHECK_SYMBOL (symbol);	2269	CHECK_SYMBOL (symbol);
2265	CHECK_VECTOR (map);	2270	CHECK_VECTOR (map);
		2271	if (! VECTORP (Vcode_conversion_map_vector))
		2272	error ("Invalid code-conversion-map-vector");
		2273
		2274	len = ASIZE (Vcode_conversion_map_vector);
2266		2275
2267	for (i = 0; i < len; i++)	2276	for (i = 0; i < len; i++)
2268	{	2277	{