1 files changed, 199 insertions, 0 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index e204ff2040b..10f6e326891 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,202 @@
+2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
+        Integer signedness and overflow and related fixes.  (Bug#9079)
+        * bidi.c: Integer size and overflow fixes.
+        (bidi_cache_size, bidi_cache_idx, bidi_cache_last_idx)
+        (bidi_cache_start, bidi_cache_fetch_state, bidi_cache_search)
+        (bidi_cache_find_level_change, bidi_cache_ensure_space)
+        (bidi_cache_iterator_state, bidi_cache_find, bidi_cache_start_stack)
+        (bidi_find_other_level_edge):
+        Use ptrdiff_t instead of EMACS_INT where either will do.
+        This works better on 32-bit hosts configured --with-wide-int.
+        (bidi_cache_ensure_space): Check for size-calculation overflow.
+        Use % rather than repeated addition, for better worst-case speed.
+        Don't set bidi_cache_size until after xrealloc returns, because it
+        might not return.
+        (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow.
+        (bidi_cache_ensure_space): Also check that the bidi cache size
+        does not exceed that of the largest Lisp string or buffer.  See Eli
+        Zaretskii in <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#29>.
+        * alloc.c (__malloc_size_t): Remove.
+        All uses replaced by size_t.  See Andreas Schwab's note
+        <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#8>.
+        * image.c: Improve checking for integer overflow.
+        (check_image_size): Assume that f is nonnull, since
+        it is always nonnull in practice.  This is one less thing to
+        worry about when checking for integer overflow later.
+        (x_check_image_size): New function, which checks for integer
+        overflow issues inside X.
+        (x_create_x_image_and_pixmap, xbm_read_bitmap_data): Use it.
+        This removes the need for a memory_full check.
+        (xbm_image_p): Rewrite to avoid integer multiplication overflow.
+        (Create_Pixmap_From_Bitmap_Data, xbm_load): Use x_check_image_size.
+        (xbm_read_bitmap_data): Change locals back to 'int', since
+        their values must fit in 'int'.
+        (xpm_load_image, png_load, tiff_load):
+        Invoke x_create_x_image_and_pixmap earlier,
+        to avoid much needless work if the image is too large.
+        (tiff_load): Treat overly large images as if
+        x_create_x_image_and_pixmap failed, not as malloc failures.
+        (gs_load): Use x_check_image_size.
+        * gtkutil.c: Omit integer casts.
+        (xg_get_pixbuf_from_pixmap): Remove unnecessary cast.
+        (xg_set_toolkit_scroll_bar_thumb): Rewrite to avoid need for cast.
+        * image.c (png_load): Don't assume height * row_bytes fits in 'int'.
+        * xfaces.c (Fbitmap_spec_p): Fix integer overflow bug.
+        Without this fix, (bitmap-spec-p '(34359738368 1 "x"))
+        would wrongly return t on a 64-bit host.
+        * dispnew.c (init_display): Use *_RANGE_OVERFLOW macros.
+        The plain *_OVERFLOW macros run afoul of GCC bug 49705
+        <http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49705>
+        and therefore cause GCC to emit a bogus diagnostic in some cases.
+        * image.c: Integer signedness and overflow and related fixes.
+        This is not an exhaustive set of fixes, but it's time to
+        record what I've got.
+        (lookup_pixel_color, check_image_size): Remove redundant decls.
+        (check_image_size): Don't assume that arbitrary EMACS_INT values
+        fit in 'int', or that arbitrary 'double' values fit in 'int'.
+        (x_alloc_image_color, x_create_x_image_and_pixmap, png_load)
+        (tiff_load, imagemagick_load_image):
+        Check for overflow in size calculations.
+        (x_create_x_image_and_pixmap): Remove unnecessary test for
+        xmalloc returning NULL; that can't happen.
+        (xbm_read_bitmap_data): Don't assume sizes fit into 'int'.
+        (xpm_color_bucket): Use better integer hashing function.
+        (xpm_cache_color): Don't possibly over-allocate memory.
+        (struct png_memory_storage, tiff_memory_source, tiff_seek_in_memory)
+        (gif_memory_source):
+        Use ptrdiff_t, not int or size_t, to record sizes.
+        (png_load): Don't assume values greater than 2**31 fit in 'int'.
+        (our_stdio_fill_input_buffer): Prefer ptrdiff_t to size_t when
+        either works, as we prefer signed integers.
+        (tiff_read_from_memory, tiff_write_from_memory):
+        Return tsize_t, not size_t, since that's what the TIFF API wants.
+        (tiff_read_from_memory): Don't fail simply because the read would
+        go past EOF; instead, return a short read.
+        (tiff_load): Omit no-longer-needed casts.
+        (Fimagemagick_types): Don't assume size fits into 'int'.
+        Improve hashing quality when configured --with-wide-int.
+        * fns.c (hash_string): New function, taken from sxhash_string.
+        Do not discard information about ASCII character case; this
+        discarding is no longer needed.
+        (sxhash-string): Use it.  Change sig to match it.  Caller changed.
+        * lisp.h: Declare it.
+        * lread.c (hash_string): Remove, since we now use fns.c's version.
+        The fns.c version returns a wider integer if --with-wide-int is
+        specified, so this should help the quality of the hashing a bit.
+        * emacs.c: Integer overflow minor fix.
+        (heap_bss_diff): Now uprintmax_t, not unsigned long.  All used changed.
+        Define only if GNU_LINUX.
+        (main, Fdump_emacs): Set and use heap_bss_diff only if GNU_LINUX.
+        * dispnew.c: Integer signedness and overflow fixes.
+        Remove unnecessary forward decls, that were a maintenance hassle.
+        (history_tick): Now uprintmax_t, so it's more likely to avoid overflow.
+        All uses changed.
+        (adjust_glyph_matrix, realloc_glyph_pool, adjust_frame_message_buffer)
+        (scrolling_window): Use ptrdiff_t, not int, for byte count.
+        (prepare_desired_row, line_draw_cost):
+        Use int, not unsigned, where either works.
+        (save_current_matrix, restore_current_matrix):
+        Use ptrdiff_t, not size_t, where either works.
+        (init_display): Check for overflow more accurately, and without
+        relying on undefined behavior.
+        * editfns.c (pWIDE, pWIDElen, signed_wide, unsigned_wide):
+        Remove, replacing with the new symbols in lisp.h.  All uses changed.
+        * fileio.c (make_temp_name):
+        * filelock.c (lock_file_1, lock_file):
+        * xdisp.c (message_dolog):
+        Don't assume PRIdMAX etc. works; this isn't portable to pre-C99 hosts.
+        Use pMd etc. instead.
+        * lisp.h (printmax_t, uprintmax_t, pMd, pMu): New types and macros,
+        replacing the pWIDE etc. symbols removed from editfns.c.
+        * keyboard.h (num_input_events): Now uintmax_t.
+        This is (very slightly) less likely to mess up due to wraparound.
+        All uses changed.
+        * buffer.c: Integer signedness fixes.
+        (alloc_buffer_text, enlarge_buffer_text):
+        Use ptrdiff_t rather than size_t when either will do, as we prefer
+        signed integers.
+        * alloc.c: Integer signedness and overflow fixes.
+        Do not impose an arbitrary 32-bit limit on malloc sizes when debugging.
+        (__malloc_size_t): Default to size_t, not to int.
+        (pure_size, pure_bytes_used_before_overflow, stack_copy_size)
+        (Fgarbage_collect, mark_object_loop_halt, mark_object):
+        Prefer ptrdiff_t to size_t when either would do, as we prefer
+        signed integers.
+        (XMALLOC_OVERRUN_CHECK_OVERHEAD): New macro.
+        (xmalloc_overrun_check_header, xmalloc_overrun_check_trailer):
+        Now const.  Initialize with values that are in range even if char
+        is signed.
+        (XMALLOC_PUT_SIZE, XMALLOC_GET_SIZE): Remove, replacing with ...
+        (xmalloc_put_size, xmalloc_get_size): New functions.  All uses changed.
+        These functions do the right thing with sizes > 2**32.
+        (check_depth): Now ptrdiff_t, not int.
+        (overrun_check_malloc, overrun_check_realloc, overrun_check_free):
+        Adjust to new way of storing sizes.  Check for size overflow bugs
+        in rest of code.
+        (STRING_BYTES_MAX): Adjust to new overheads.  The old code was
+        slightly wrong anyway, as it missed one instance of
+        XMALLOC_OVERRUN_CHECK_OVERHEAD.
+        (refill_memory_reserve): Omit needless cast to size_t.
+        (mark_object_loop_halt): Mark as externally visible.
+        * xselect.c: Integer signedness and overflow fixes.
+        (Fx_register_dnd_atom, x_handle_dnd_message):
+        Use ptrdiff_t, not size_t, since we prefer signed.
+        (Fx_register_dnd_atom): Check for ptrdiff_t (and size_t) overflow.
+        * xterm.h (struct x_display_info): Use ptrdiff_t, not size_t, for
+        x_dnd_atoms_size and x_dnd_atoms_length.
+        * doprnt.c: Prefer signed to unsigned when either works.
+        * eval.c (verror):
+        * doprnt.c (doprnt):
+        * lisp.h (doprnt):
+        * xdisp.c (vmessage):
+        Use ptrdiff_t, not size_t, when using or implementing doprnt,
+        since the sizes cannot exceed ptrdiff_t bounds anyway, and we
+        prefer signed arithmetic to avoid comparison confusion.
+        * doprnt.c (doprnt): Avoid a "+ 1" that can't overflow,
+        but is a bit tricky.
+        Assume freestanding C89 headers, string.h, stdlib.h.
+        * data.c, doprnt.c, floatfns.c, print.c:
+        Include float.h unconditionally.
+        * gmalloc.c: Assume C89-at-least behavior for preprocessor,
+        limits.h, stddef.h, string.h.  Use memset instead of 'flood'.
+        * regex.c: Likewise for stddef.h, string.h.
+        (ISASCII): Remove; can assume it returns 1 now.  All uses removed.
+        * s/aix4-2.h (HAVE_STRING_H): Remove obsolete undef.
+        * s/ms-w32.h (HAVE_LIMITS_H, HAVE_STRING_H, HAVE_STDLIB_H)
+        (STDC_HEADERS): Remove obsolete defines.
+        * sysdep.c: Include limits.h unconditionally.
+        Assume support for memcmp, memcpy, memmove, memset.
+        * lisp.h, sysdep.c (memcmp, memcpy, memmove, memset):
+        * regex.c (memcmp, memcpy):
+        Remove; we assume C89 now.
+        * gmalloc.c (memcpy, memset, memmove): Remove; we assume C89 now.
+        (__malloc_safe_bcopy): Remove; no longer needed.
+        * lisp.h (struct vectorlike_header, struct Lisp_Subr): Signed sizes.
+        Use EMACS_INT, not EMACS_UINT, for sizes.  The code works equally
+        well either way, and we prefer signed to unsigned.
 2011-07-27  Lars Magne Ingebrigtsen  <larsi@gnus.org>
        * gnutls.c (emacs_gnutls_read): Don't message anything if the peer

diff --git a/src/ChangeLog b/src/ChangeLog index e204ff2040b..10f6e326891 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,3 +1,202 @@
		1	2011-07-28 Paul Eggert <eggert@cs.ucla.edu>
		2
		3	Integer signedness and overflow and related fixes. (Bug#9079)
		4
		5	* bidi.c: Integer size and overflow fixes.
		6	(bidi_cache_size, bidi_cache_idx, bidi_cache_last_idx)
		7	(bidi_cache_start, bidi_cache_fetch_state, bidi_cache_search)
		8	(bidi_cache_find_level_change, bidi_cache_ensure_space)
		9	(bidi_cache_iterator_state, bidi_cache_find, bidi_cache_start_stack)
		10	(bidi_find_other_level_edge):
		11	Use ptrdiff_t instead of EMACS_INT where either will do.
		12	This works better on 32-bit hosts configured --with-wide-int.
		13	(bidi_cache_ensure_space): Check for size-calculation overflow.
		14	Use % rather than repeated addition, for better worst-case speed.
		15	Don't set bidi_cache_size until after xrealloc returns, because it
		16	might not return.
		17	(bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow.
		18	(bidi_cache_ensure_space): Also check that the bidi cache size
		19	does not exceed that of the largest Lisp string or buffer. See Eli
		20	Zaretskii in <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#29>.
		21
		22	* alloc.c (__malloc_size_t): Remove.
		23	All uses replaced by size_t. See Andreas Schwab's note
		24	<http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#8>.
		25
		26	* image.c: Improve checking for integer overflow.
		27	(check_image_size): Assume that f is nonnull, since
		28	it is always nonnull in practice. This is one less thing to
		29	worry about when checking for integer overflow later.
		30	(x_check_image_size): New function, which checks for integer
		31	overflow issues inside X.
		32	(x_create_x_image_and_pixmap, xbm_read_bitmap_data): Use it.
		33	This removes the need for a memory_full check.
		34	(xbm_image_p): Rewrite to avoid integer multiplication overflow.
		35	(Create_Pixmap_From_Bitmap_Data, xbm_load): Use x_check_image_size.
		36	(xbm_read_bitmap_data): Change locals back to 'int', since
		37	their values must fit in 'int'.
		38	(xpm_load_image, png_load, tiff_load):
		39	Invoke x_create_x_image_and_pixmap earlier,
		40	to avoid much needless work if the image is too large.
		41	(tiff_load): Treat overly large images as if
		42	x_create_x_image_and_pixmap failed, not as malloc failures.
		43	(gs_load): Use x_check_image_size.
		44
		45	* gtkutil.c: Omit integer casts.
		46	(xg_get_pixbuf_from_pixmap): Remove unnecessary cast.
		47	(xg_set_toolkit_scroll_bar_thumb): Rewrite to avoid need for cast.
		48
		49	* image.c (png_load): Don't assume height * row_bytes fits in 'int'.
		50
		51	* xfaces.c (Fbitmap_spec_p): Fix integer overflow bug.
		52	Without this fix, (bitmap-spec-p '(34359738368 1 "x"))
		53	would wrongly return t on a 64-bit host.
		54
		55	* dispnew.c (init_display): Use *_RANGE_OVERFLOW macros.
		56	The plain *_OVERFLOW macros run afoul of GCC bug 49705
		57	<http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49705>
		58	and therefore cause GCC to emit a bogus diagnostic in some cases.
		59
		60	* image.c: Integer signedness and overflow and related fixes.
		61	This is not an exhaustive set of fixes, but it's time to
		62	record what I've got.
		63	(lookup_pixel_color, check_image_size): Remove redundant decls.
		64	(check_image_size): Don't assume that arbitrary EMACS_INT values
		65	fit in 'int', or that arbitrary 'double' values fit in 'int'.
		66	(x_alloc_image_color, x_create_x_image_and_pixmap, png_load)
		67	(tiff_load, imagemagick_load_image):
		68	Check for overflow in size calculations.
		69	(x_create_x_image_and_pixmap): Remove unnecessary test for
		70	xmalloc returning NULL; that can't happen.
		71	(xbm_read_bitmap_data): Don't assume sizes fit into 'int'.
		72	(xpm_color_bucket): Use better integer hashing function.
		73	(xpm_cache_color): Don't possibly over-allocate memory.
		74	(struct png_memory_storage, tiff_memory_source, tiff_seek_in_memory)
		75	(gif_memory_source):
		76	Use ptrdiff_t, not int or size_t, to record sizes.
		77	(png_load): Don't assume values greater than 2**31 fit in 'int'.
		78	(our_stdio_fill_input_buffer): Prefer ptrdiff_t to size_t when
		79	either works, as we prefer signed integers.
		80	(tiff_read_from_memory, tiff_write_from_memory):
		81	Return tsize_t, not size_t, since that's what the TIFF API wants.
		82	(tiff_read_from_memory): Don't fail simply because the read would
		83	go past EOF; instead, return a short read.
		84	(tiff_load): Omit no-longer-needed casts.
		85	(Fimagemagick_types): Don't assume size fits into 'int'.
		86
		87	Improve hashing quality when configured --with-wide-int.
		88	* fns.c (hash_string): New function, taken from sxhash_string.
		89	Do not discard information about ASCII character case; this
		90	discarding is no longer needed.
		91	(sxhash-string): Use it. Change sig to match it. Caller changed.
		92	* lisp.h: Declare it.
		93	* lread.c (hash_string): Remove, since we now use fns.c's version.
		94	The fns.c version returns a wider integer if --with-wide-int is
		95	specified, so this should help the quality of the hashing a bit.
		96
		97	* emacs.c: Integer overflow minor fix.
		98	(heap_bss_diff): Now uprintmax_t, not unsigned long. All used changed.
		99	Define only if GNU_LINUX.
		100	(main, Fdump_emacs): Set and use heap_bss_diff only if GNU_LINUX.
		101
		102	* dispnew.c: Integer signedness and overflow fixes.
		103	Remove unnecessary forward decls, that were a maintenance hassle.
		104	(history_tick): Now uprintmax_t, so it's more likely to avoid overflow.
		105	All uses changed.
		106	(adjust_glyph_matrix, realloc_glyph_pool, adjust_frame_message_buffer)
		107	(scrolling_window): Use ptrdiff_t, not int, for byte count.
		108	(prepare_desired_row, line_draw_cost):
		109	Use int, not unsigned, where either works.
		110	(save_current_matrix, restore_current_matrix):
		111	Use ptrdiff_t, not size_t, where either works.
		112	(init_display): Check for overflow more accurately, and without
		113	relying on undefined behavior.
		114
		115	* editfns.c (pWIDE, pWIDElen, signed_wide, unsigned_wide):
		116	Remove, replacing with the new symbols in lisp.h. All uses changed.
		117	* fileio.c (make_temp_name):
		118	* filelock.c (lock_file_1, lock_file):
		119	* xdisp.c (message_dolog):
		120	Don't assume PRIdMAX etc. works; this isn't portable to pre-C99 hosts.
		121	Use pMd etc. instead.
		122	* lisp.h (printmax_t, uprintmax_t, pMd, pMu): New types and macros,
		123	replacing the pWIDE etc. symbols removed from editfns.c.
		124
		125	* keyboard.h (num_input_events): Now uintmax_t.
		126	This is (very slightly) less likely to mess up due to wraparound.
		127	All uses changed.
		128
		129	* buffer.c: Integer signedness fixes.
		130	(alloc_buffer_text, enlarge_buffer_text):
		131	Use ptrdiff_t rather than size_t when either will do, as we prefer
		132	signed integers.
		133
		134	* alloc.c: Integer signedness and overflow fixes.
		135	Do not impose an arbitrary 32-bit limit on malloc sizes when debugging.
		136	(__malloc_size_t): Default to size_t, not to int.
		137	(pure_size, pure_bytes_used_before_overflow, stack_copy_size)
		138	(Fgarbage_collect, mark_object_loop_halt, mark_object):
		139	Prefer ptrdiff_t to size_t when either would do, as we prefer
		140	signed integers.
		141	(XMALLOC_OVERRUN_CHECK_OVERHEAD): New macro.
		142	(xmalloc_overrun_check_header, xmalloc_overrun_check_trailer):
		143	Now const. Initialize with values that are in range even if char
		144	is signed.
		145	(XMALLOC_PUT_SIZE, XMALLOC_GET_SIZE): Remove, replacing with ...
		146	(xmalloc_put_size, xmalloc_get_size): New functions. All uses changed.
		147	These functions do the right thing with sizes > 2**32.
		148	(check_depth): Now ptrdiff_t, not int.
		149	(overrun_check_malloc, overrun_check_realloc, overrun_check_free):
		150	Adjust to new way of storing sizes. Check for size overflow bugs
		151	in rest of code.
		152	(STRING_BYTES_MAX): Adjust to new overheads. The old code was
		153	slightly wrong anyway, as it missed one instance of
		154	XMALLOC_OVERRUN_CHECK_OVERHEAD.
		155	(refill_memory_reserve): Omit needless cast to size_t.
		156	(mark_object_loop_halt): Mark as externally visible.
		157
		158	* xselect.c: Integer signedness and overflow fixes.
		159	(Fx_register_dnd_atom, x_handle_dnd_message):
		160	Use ptrdiff_t, not size_t, since we prefer signed.
		161	(Fx_register_dnd_atom): Check for ptrdiff_t (and size_t) overflow.
		162	* xterm.h (struct x_display_info): Use ptrdiff_t, not size_t, for
		163	x_dnd_atoms_size and x_dnd_atoms_length.
		164
		165	* doprnt.c: Prefer signed to unsigned when either works.
		166	* eval.c (verror):
		167	* doprnt.c (doprnt):
		168	* lisp.h (doprnt):
		169	* xdisp.c (vmessage):
		170	Use ptrdiff_t, not size_t, when using or implementing doprnt,
		171	since the sizes cannot exceed ptrdiff_t bounds anyway, and we
		172	prefer signed arithmetic to avoid comparison confusion.
		173	* doprnt.c (doprnt): Avoid a "+ 1" that can't overflow,
		174	but is a bit tricky.
		175
		176	Assume freestanding C89 headers, string.h, stdlib.h.
		177	* data.c, doprnt.c, floatfns.c, print.c:
		178	Include float.h unconditionally.
		179	* gmalloc.c: Assume C89-at-least behavior for preprocessor,
		180	limits.h, stddef.h, string.h. Use memset instead of 'flood'.
		181	* regex.c: Likewise for stddef.h, string.h.
		182	(ISASCII): Remove; can assume it returns 1 now. All uses removed.
		183	* s/aix4-2.h (HAVE_STRING_H): Remove obsolete undef.
		184	* s/ms-w32.h (HAVE_LIMITS_H, HAVE_STRING_H, HAVE_STDLIB_H)
		185	(STDC_HEADERS): Remove obsolete defines.
		186	* sysdep.c: Include limits.h unconditionally.
		187
		188	Assume support for memcmp, memcpy, memmove, memset.
		189	* lisp.h, sysdep.c (memcmp, memcpy, memmove, memset):
		190	* regex.c (memcmp, memcpy):
		191	Remove; we assume C89 now.
		192
		193	* gmalloc.c (memcpy, memset, memmove): Remove; we assume C89 now.
		194	(__malloc_safe_bcopy): Remove; no longer needed.
		195
		196	* lisp.h (struct vectorlike_header, struct Lisp_Subr): Signed sizes.
		197	Use EMACS_INT, not EMACS_UINT, for sizes. The code works equally
		198	well either way, and we prefer signed to unsigned.
		199
1	2011-07-27 Lars Magne Ingebrigtsen <larsi@gnus.org>	200	2011-07-27 Lars Magne Ingebrigtsen <larsi@gnus.org>
2		201
3	* gnutls.c (emacs_gnutls_read): Don't message anything if the peer	202	* gnutls.c (emacs_gnutls_read): Don't message anything if the peer