Merge from emacs-24; up to 2012-11-09T14:45:15Z!dmantipov@yandex.ru

author: Glenn Morris 2012-11-12 18:25:59 -0800
committer: Glenn Morris 2012-11-12 18:25:59 -0800
commit: f78ee6afc094cdfd6162bfd645836e84875dcddf (patch)
tree: 3a2c4f5d6441e53adadb69ed2af0b64abf3cf239 /src
parent: b95a9c0cba301ef8f1920a1d123ccd6873c14a63 (diff)
parent: f8705f6e3102454bf1e3213956eb3ac8160ff047 (diff)
download: emacs-f78ee6afc094cdfd6162bfd645836e84875dcddf.tar.gz
emacs-f78ee6afc094cdfd6162bfd645836e84875dcddf.zip
2 files changed, 19 insertions, 5 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 5905c667852..88352c201b6 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,11 @@
+2012-11-13  Eli Zaretskii  <eliz@gnu.org>
+        * xdisp.c (decode_mode_spec): Limit the value of WIDTH argument
+        passed to pint2str and pint2hrstr to be at most the size of the
+        frame's decode_mode_spec_buffer.  This avoids crashes with very
+        large values of FIELD_WIDTH argument to decode_mode_spec.
+        (Bug#12867)
 2012-11-13  Paul Eggert  <eggert@cs.ucla.edu>
        Fix a race with verify-visited-file-modtime (Bug#12863).
diff --git a/src/xdisp.c b/src/xdisp.c
index 5bda3347fe8..12d7b89291c 100644
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -21371,6 +21371,12 @@ decode_mode_spec (struct window *w, register int c, int field_width,
  Lisp_Object obj;
  struct frame *f = XFRAME (WINDOW_FRAME (w));
  char *decode_mode_spec_buf = f->decode_mode_spec_buffer;
+  /* We are going to use f->decode_mode_spec_buffer as the buffer to
+     produce strings from numerical values, so limit preposterously
+     large values of FIELD_WIDTH to avoid overrunning the buffer's
+     end.  The size of the buffer is enough for FRAME_MESSAGE_BUF_SIZE
+     bytes plus the terminating null.  */
+  int width = min (field_width, FRAME_MESSAGE_BUF_SIZE (f));
  struct buffer *b = current_buffer;
  obj = Qnil;
@@ -21466,7 +21472,7 @@ decode_mode_spec (struct window *w, register int c, int field_width,
        {
          ptrdiff_t col = current_column ();
          wset_column_number_displayed (w, make_number (col));
-          pint2str (decode_mode_spec_buf, field_width, col);
+          pint2str (decode_mode_spec_buf, width, col);
          return decode_mode_spec_buf;
        }
@@ -21497,14 +21503,14 @@ decode_mode_spec (struct window *w, register int c, int field_width,
    case 'i':
      {
        ptrdiff_t size = ZV - BEGV;
-        pint2str (decode_mode_spec_buf, field_width, size);
+        pint2str (decode_mode_spec_buf, width, size);
        return decode_mode_spec_buf;
      }
    case 'I':
      {
        ptrdiff_t size = ZV - BEGV;
-        pint2hrstr (decode_mode_spec_buf, field_width, size);
+        pint2hrstr (decode_mode_spec_buf, width, size);
        return decode_mode_spec_buf;
      }
@@ -21611,12 +21617,12 @@ decode_mode_spec (struct window *w, register int c, int field_width,
        line_number_displayed = 1;
        /* Make the string to show.  */
-        pint2str (decode_mode_spec_buf, field_width, topline + nlines);
+        pint2str (decode_mode_spec_buf, width, topline + nlines);
        return decode_mode_spec_buf;
    no_value:
        {
          char* p = decode_mode_spec_buf;
-          int pad = field_width - 2;
+          int pad = width - 2;
          while (pad-- > 0)
            *p++ = ' ';
          *p++ = '?';
author	Glenn Morris	2012-11-12 18:25:59 -0800
committer	Glenn Morris	2012-11-12 18:25:59 -0800
commit	f78ee6afc094cdfd6162bfd645836e84875dcddf (patch)
tree	3a2c4f5d6441e53adadb69ed2af0b64abf3cf239 /src
parent	b95a9c0cba301ef8f1920a1d123ccd6873c14a63 (diff)
parent	f8705f6e3102454bf1e3213956eb3ac8160ff047 (diff)
download	emacs-f78ee6afc094cdfd6162bfd645836e84875dcddf.tar.gz emacs-f78ee6afc094cdfd6162bfd645836e84875dcddf.zip