* print.c (printchar, strout): Check for string overflow.

(PRINTPREPARE, printchar, strout):
Don't set size unless allocation succeeds.

2 files changed, 23 insertions, 9 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index 1be34fdbfe2..7948766690f 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,9 @@
 2011-06-23  Paul Eggert  <eggert@cs.ucla.edu>
 
+        * print.c (printchar, strout): Check for string overflow.
+        (PRINTPREPARE, printchar, strout):
+        Don't set size unless allocation succeeds.
+
         * minibuf.c (read_minibuf_noninteractive): Use ptrdiff_t, not int,
         for sizes.  Check for string overflow more accurately.
         Simplify newline removal at end; this suppresses a GCC 4.6.0 warning.
diff --git a/src/print.c b/src/print.c
index d07f89702cc..009bea34f65 100644
--- a/src/print.c
+++ b/src/print.c
@@ -159,8 +159,9 @@ int print_output_debug_flag EXTERNALLY_VISIBLE = 1;
          }                                                              \
        else                                                             \
          {                                                              \
-           print_buffer_size = 1000;                                    \
-           print_buffer = (char *) xmalloc (print_buffer_size);         \
+           ptrdiff_t new_size = 1000;                                   \
+           print_buffer = (char *) xmalloc (new_size);                  \
+           print_buffer_size = new_size;                                \
            free_print_buffer = 1;                                       \
          }                                                              \
        print_buffer_pos = 0;                                            \
@@ -235,9 +236,15 @@ printchar (unsigned int ch, Lisp_Object fun)
 
       if (NILP (fun))
         {
-          if (print_buffer_pos_byte + len >= print_buffer_size)
-            print_buffer = (char *) xrealloc (print_buffer,
-                                              print_buffer_size *= 2);
+          if (print_buffer_size - len <= print_buffer_pos_byte)
+            {
+              ptrdiff_t new_size;
+              if (STRING_BYTES_BOUND / 2 < print_buffer_size)
+                string_overflow ();
+              new_size = print_buffer_size * 2;
+              print_buffer = (char *) xrealloc (print_buffer, new_size);
+              print_buffer_size = new_size;
+            }
           memcpy (print_buffer + print_buffer_pos_byte, str, len);
           print_buffer_pos += 1;
           print_buffer_pos_byte += len;
@@ -280,11 +287,14 @@ strout (const char *ptr, EMACS_INT size, EMACS_INT size_byte,
 
   if (NILP (printcharfun))
     {
-      if (print_buffer_pos_byte + size_byte > print_buffer_size)
+      if (print_buffer_size - size_byte < print_buffer_pos_byte)
         {
-          print_buffer_size = print_buffer_size * 2 + size_byte;
-          print_buffer = (char *) xrealloc (print_buffer,
-                                            print_buffer_size);
+          ptrdiff_t new_size;
+          if (STRING_BYTES_BOUND / 2 - size_byte < print_buffer_size)
+            string_overflow ();
+          new_size = print_buffer_size * 2 + size_byte;
+          print_buffer = (char *) xrealloc (print_buffer, new_size);
+          print_buffer_size = new_size;
         }
       memcpy (print_buffer + print_buffer_pos_byte, ptr, size_byte);
       print_buffer_pos += size;