* bidi.c (bidi_cache_ensure_space): Also check that the bidi cache size

does not exceed that of the largest Lisp string or buffer.  See Eli
Zaretskii in <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#29>.

2 files changed, 13 insertions, 3 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index c19786fb72c..493b3277f52 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -15,6 +15,9 @@
         Don't set bidi_cache_size until after xrealloc returns, because it
         might not return.
         (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow.
+        (bidi_cache_ensure_space): Also check that the bidi cache size
+        does not exceed that of the largest Lisp string or buffer.  See Eli
+        Zaretskii in <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#29>.
 
         * alloc.c (__malloc_size_t): Remove.
         All uses replaced by size_t.  See Andreas Schwab's note
diff --git a/src/bidi.c b/src/bidi.c
index 1999606639b..697ebb92856 100644
--- a/src/bidi.c
+++ b/src/bidi.c
@@ -464,9 +464,16 @@ bidi_cache_ensure_space (ptrdiff_t idx)
   if (idx >= bidi_cache_size)
     {
       ptrdiff_t new_size;
-      ptrdiff_t max_size =
-        min (PTRDIFF_MAX, SIZE_MAX) / elsz / BIDI_CACHE_CHUNK * BIDI_CACHE_CHUNK;
-      if (max_size <= idx)
+
+      /* The bidi cache cannot be larger than the largest Lisp string
+         or buffer.  */
+      ptrdiff_t string_or_buffer_bound =
+        max (BUF_BYTES_MAX, STRING_BYTES_BOUND);
+
+      /* Also, it cannot be larger than what C can represent.  */
+      ptrdiff_t c_bound = min (PTRDIFF_MAX, SIZE_MAX) / elsz;
+
+      if (min (string_or_buffer_bound, c_bound) <= idx)
         memory_full (SIZE_MAX);
       new_size = idx - idx % BIDI_CACHE_CHUNK + BIDI_CACHE_CHUNK;
       bidi_cache = (struct bidi_it *) xrealloc (bidi_cache, new_size * elsz);