1 files changed, 153 insertions, 1 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index a3c850e3b7f..88065dd3231 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,4 +1,4 @@
-2011-09-03  Paul Eggert  <eggert@cs.ucla.edu>
+2011-09-05  Paul Eggert  <eggert@cs.ucla.edu>
        * fileio.c: Fix bugs with large file offsets (Bug#9428).
        The previous code assumed that file offsets (off_t values) fit in
@@ -17,6 +17,158 @@
        (Fwrite_region): Don't assume off_t fits into 'long'.
        * buffer.h (struct buffer.modtime_size): Now off_t, not EMACS_INT.
+2011-09-05  Michael Albinus  <michael.albinus@gmx.de>
+        * dbusbind.c (xd_signature_cat): Rename from signature_cat.
+2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
+        sprintf-related integer and memory overflow issues (Bug#9412).
+        * doprnt.c (doprnt): Support printing ptrdiff_t and intmax_t values.
+        (esprintf, exprintf, evxprintf): New functions.
+        * keyboard.c (command_loop_level): Now EMACS_INT, not int.
+        (cmd_error): kbd macro iterations count is now EMACS_INT, not int.
+        (modify_event_symbol): Do not assume that the length of
+        name_alist_or_stem is safe to alloca and fits in int.
+        (Fexecute_extended_command): Likewise for function name and binding.
+        (Frecursion_depth): Wrap around reliably on integer overflow.
+        * keymap.c (push_key_description): First arg is now EMACS_INT, not int,
+        since some callers pass EMACS_INT values.
+        (Fsingle_key_description): Don't crash if symbol name contains more
+        than MAX_ALLOCA bytes.
+        * minibuf.c (minibuf_level): Now EMACS_INT, not int.
+        (get_minibuffer): Arg is now EMACS_INT, not int.
+        * lisp.h (get_minibuffer, push_key_description): Reflect API changes.
+        (esprintf, exprintf, evxprintf): New decls.
+        * window.h (command_loop_level, minibuf_level): Reflect API changes.
+        * dbusbind.c (signature_cat): New function.
+        (xd_signature, Fdbus_register_signal):
+        Do not overrun buffer; instead, report string overflow.
+        * dispnew.c (add_window_display_history): Don't overrun buffer.
+        Truncate instead; this is OK since it's just a log.
+        * editfns.c (Fcurrent_time_zone): Don't overrun buffer
+        even if the time zone offset is outlandishly large.
+        Don't mishandle offset == INT_MIN.
+        * emacs.c (main) [NS_IMPL_COCOA]: Don't overrun buffer
+        when creating daemon; the previous buffer-overflow check was incorrect.
+        * eval.c (verror): Simplify by rewriting in terms of evxprintf,
+        which has the guts of the old verror function.
+        * filelock.c (lock_file_1, lock_file): Don't blindly alloca long name;
+        use SAFE_ALLOCA instead.  Use esprintf to avoid int-overflow issues.
+        * font.c: Include <float.h>, for DBL_MAX_10_EXP.
+        (font_unparse_xlfd): Don't blindly alloca long strings.
+        Don't assume XINT result fits in int, or that XFLOAT_DATA * 10
+        fits in int, when using sprintf.  Use single snprintf to count
+        length of string rather than counting it via multiple sprintfs;
+        that's simpler and more reliable.
+        (font_unparse_fcname): Use it to avoid sprintf buffer overrun.
+        (generate_otf_features) [0 && HAVE_LIBOTF]: Use esprintf, not
+        sprintf, in case result does not fit in int.
+        * fontset.c (num_auto_fontsets): Now printmax_t, not int.
+        (fontset_from_font): Print it.
+        * frame.c (tty_frame_count): Now printmax_t, not int.
+        (make_terminal_frame, set_term_frame_name): Print it.
+        (x_report_frame_params): In X, window IDs are unsigned long,
+        not signed long, so print them as unsigned.
+        (validate_x_resource_name): Check for implausibly long names,
+        and don't assume name length fits in 'int'.
+        (x_get_resource_string): Don't blindly alloca invocation name;
+        use SAFE_ALLOCA.  Use esprintf, not sprintf, in case result does
+        not fit in int.
+        * gtkutil.c: Include <float.h>, for DBL_MAX_10_EXP.
+        (xg_check_special_colors, xg_set_geometry):
+        Make sprintf buffers a bit bigger, to avoid potential buffer overrun.
+        * lread.c (dir_warning): Don't blindly alloca buffer; use SAFE_ALLOCA.
+        Use esprintf, not sprintf, in case result does not fit in int.
+        * macros.c (executing_kbd_macro_iterations): Now EMACS_INT, not int.
+        (Fend_kbd_macro): Don't mishandle MOST_NEGATIVE_FIXNUM by treating
+        it as a large positive number.
+        (Fexecute_kbd_macro): Don't assume repeat count fits in int.
+        * macros.h (executing_kbd_macro_iterations): Now EMACS_INT, not int.
+        * nsterm.m ((NSSize)windowWillResize): Use esprintf, not sprintf,
+        in case result does not fit in int.
+        * print.c (float_to_string): Detect width overflow more reliably.
+        (print_object): Make sprintf buffer a bit bigger, to avoid potential
+        buffer overrun.  Don't assume list length fits in 'int'.  Treat
+        print length of 0 as 0, not as infinity; to be consistent with other
+        uses of print length in this function.  Don't overflow print length
+        index.  Don't assume hash table size fits in 'long', or that
+        vectorlike size fits in 'unsigned long'.
+        * process.c (make_process): Use printmax_t, not int, to format
+        process-name gensyms.
+        * sysdep.c (snprintf) [! HAVE_SNPRINTF]: New function.
+        * term.c (produce_glyphless_glyph): Make sprintf buffer a bit bigger
+        to avoid potential buffer overrun.
+        * xfaces.c (x_update_menu_appearance): Don't overrun buffer
+        if X resource line is longer than 512 bytes.
+        * xfns.c (x_window): Make sprintf buffer a bit bigger
+        to avoid potential buffer overrun.
+        * xterm.c (x_io_error_quitter): Don't overrun sprintf buffer.
+        * xterm.h (x_check_errors): Add ATTRIBUTE_FORMAT_PRINTF.
+2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
+        Integer overflow fixes for scrolling, etc.
+        Without these, Emacs silently mishandles large integers sometimes.
+        For example, "C-u 4294967297 M-x recenter" was treated as if
+        it were "C-u 1 M-x recenter" on a typical 64-bit host.
+        * xdisp.c (try_window_id): Check Emacs fixnum range before
+        converting to 'int'.
+        * window.c (window_scroll_line_based, Frecenter):
+        Check that an Emacs fixnum is in range before assigning it to 'int'.
+        (Frecenter, Fmove_to_window_line): Use EMACS_INT, not int, for
+        values converted from Emacs fixnums.
+        (Frecenter): Don't wrap around a line count if it is out of 'int'
+        range; instead, treat it as an extreme value.
+        (Fset_window_configuration, compare_window_configurations):
+        Use ptrdiff_t, not int, for index that might exceed 2 GiB.
+        * search.c (Freplace_match): Use ptrdiff_t, not int, for indexes
+        that can exceed INT_MAX.  Check that EMACS_INT value is in range
+        before assigning it to the (possibly-narrower) index.
+        (match_limit): Don't assume that a fixnum can fit in 'int'.
+        * print.c (print_object): Use ptrdiff_t, not int, for index that can
+        exceed INT_MAX.
+        * indent.c (position_indentation): Now takes ptrdiff_t, not int.
+        (Fvertical_motion): Don't wrap around LINES values that don't fit
+        in 'int'.  Instead, treat them as extreme values.  This is good
+        enough for windows, which can't have more than INT_MAX lines anyway.
+2011-09-03  Lars Magne Ingebrigtsen  <larsi@gnus.org>
+        * Require libxml/parser.h to avoid compilation warning.
+        * emacs.c (shut_down_emacs): Call xmlCleanupParser on shutdown.
+        * xml.c (parse_region): Don't call xmlCleanupParser after parsing,
+        since this reportedly can destroy thread storage.
 2011-08-30  Chong Yidong  <cyd@stupidchicken.com>
        * syntax.c (find_defun_start): Update all cache variables if

diff --git a/src/ChangeLog b/src/ChangeLog index a3c850e3b7f..88065dd3231 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,4 +1,4 @@
1	2011-09-03 Paul Eggert <eggert@cs.ucla.edu>	1	2011-09-05 Paul Eggert <eggert@cs.ucla.edu>
2		2
3	* fileio.c: Fix bugs with large file offsets (Bug#9428).	3	* fileio.c: Fix bugs with large file offsets (Bug#9428).
4	The previous code assumed that file offsets (off_t values) fit in	4	The previous code assumed that file offsets (off_t values) fit in
@@ -17,6 +17,158 @@
17	(Fwrite_region): Don't assume off_t fits into 'long'.	17	(Fwrite_region): Don't assume off_t fits into 'long'.
18	* buffer.h (struct buffer.modtime_size): Now off_t, not EMACS_INT.	18	* buffer.h (struct buffer.modtime_size): Now off_t, not EMACS_INT.
19		19
		20	2011-09-05 Michael Albinus <michael.albinus@gmx.de>
		21
		22	* dbusbind.c (xd_signature_cat): Rename from signature_cat.
		23
		24	2011-09-04 Paul Eggert <eggert@cs.ucla.edu>
		25
		26	sprintf-related integer and memory overflow issues (Bug#9412).
		27
		28	* doprnt.c (doprnt): Support printing ptrdiff_t and intmax_t values.
		29	(esprintf, exprintf, evxprintf): New functions.
		30	* keyboard.c (command_loop_level): Now EMACS_INT, not int.
		31	(cmd_error): kbd macro iterations count is now EMACS_INT, not int.
		32	(modify_event_symbol): Do not assume that the length of
		33	name_alist_or_stem is safe to alloca and fits in int.
		34	(Fexecute_extended_command): Likewise for function name and binding.
		35	(Frecursion_depth): Wrap around reliably on integer overflow.
		36	* keymap.c (push_key_description): First arg is now EMACS_INT, not int,
		37	since some callers pass EMACS_INT values.
		38	(Fsingle_key_description): Don't crash if symbol name contains more
		39	than MAX_ALLOCA bytes.
		40	* minibuf.c (minibuf_level): Now EMACS_INT, not int.
		41	(get_minibuffer): Arg is now EMACS_INT, not int.
		42	* lisp.h (get_minibuffer, push_key_description): Reflect API changes.
		43	(esprintf, exprintf, evxprintf): New decls.
		44	* window.h (command_loop_level, minibuf_level): Reflect API changes.
		45
		46	* dbusbind.c (signature_cat): New function.
		47	(xd_signature, Fdbus_register_signal):
		48	Do not overrun buffer; instead, report string overflow.
		49
		50	* dispnew.c (add_window_display_history): Don't overrun buffer.
		51	Truncate instead; this is OK since it's just a log.
		52
		53	* editfns.c (Fcurrent_time_zone): Don't overrun buffer
		54	even if the time zone offset is outlandishly large.
		55	Don't mishandle offset == INT_MIN.
		56
		57	* emacs.c (main) [NS_IMPL_COCOA]: Don't overrun buffer
		58	when creating daemon; the previous buffer-overflow check was incorrect.
		59
		60	* eval.c (verror): Simplify by rewriting in terms of evxprintf,
		61	which has the guts of the old verror function.
		62
		63	* filelock.c (lock_file_1, lock_file): Don't blindly alloca long name;
		64	use SAFE_ALLOCA instead. Use esprintf to avoid int-overflow issues.
		65
		66	* font.c: Include <float.h>, for DBL_MAX_10_EXP.
		67	(font_unparse_xlfd): Don't blindly alloca long strings.
		68	Don't assume XINT result fits in int, or that XFLOAT_DATA * 10
		69	fits in int, when using sprintf. Use single snprintf to count
		70	length of string rather than counting it via multiple sprintfs;
		71	that's simpler and more reliable.
		72	(font_unparse_fcname): Use it to avoid sprintf buffer overrun.
		73	(generate_otf_features) [0 && HAVE_LIBOTF]: Use esprintf, not
		74	sprintf, in case result does not fit in int.
		75
		76	* fontset.c (num_auto_fontsets): Now printmax_t, not int.
		77	(fontset_from_font): Print it.
		78
		79	* frame.c (tty_frame_count): Now printmax_t, not int.
		80	(make_terminal_frame, set_term_frame_name): Print it.
		81	(x_report_frame_params): In X, window IDs are unsigned long,
		82	not signed long, so print them as unsigned.
		83	(validate_x_resource_name): Check for implausibly long names,
		84	and don't assume name length fits in 'int'.
		85	(x_get_resource_string): Don't blindly alloca invocation name;
		86	use SAFE_ALLOCA. Use esprintf, not sprintf, in case result does
		87	not fit in int.
		88
		89	* gtkutil.c: Include <float.h>, for DBL_MAX_10_EXP.
		90	(xg_check_special_colors, xg_set_geometry):
		91	Make sprintf buffers a bit bigger, to avoid potential buffer overrun.
		92
		93	* lread.c (dir_warning): Don't blindly alloca buffer; use SAFE_ALLOCA.
		94	Use esprintf, not sprintf, in case result does not fit in int.
		95
		96	* macros.c (executing_kbd_macro_iterations): Now EMACS_INT, not int.
		97	(Fend_kbd_macro): Don't mishandle MOST_NEGATIVE_FIXNUM by treating
		98	it as a large positive number.
		99	(Fexecute_kbd_macro): Don't assume repeat count fits in int.
		100	* macros.h (executing_kbd_macro_iterations): Now EMACS_INT, not int.
		101
		102	* nsterm.m ((NSSize)windowWillResize): Use esprintf, not sprintf,
		103	in case result does not fit in int.
		104
		105	* print.c (float_to_string): Detect width overflow more reliably.
		106	(print_object): Make sprintf buffer a bit bigger, to avoid potential
		107	buffer overrun. Don't assume list length fits in 'int'. Treat
		108	print length of 0 as 0, not as infinity; to be consistent with other
		109	uses of print length in this function. Don't overflow print length
		110	index. Don't assume hash table size fits in 'long', or that
		111	vectorlike size fits in 'unsigned long'.
		112
		113	* process.c (make_process): Use printmax_t, not int, to format
		114	process-name gensyms.
		115
		116	* sysdep.c (snprintf) [! HAVE_SNPRINTF]: New function.
		117
		118	* term.c (produce_glyphless_glyph): Make sprintf buffer a bit bigger
		119	to avoid potential buffer overrun.
		120
		121	* xfaces.c (x_update_menu_appearance): Don't overrun buffer
		122	if X resource line is longer than 512 bytes.
		123
		124	* xfns.c (x_window): Make sprintf buffer a bit bigger
		125	to avoid potential buffer overrun.
		126
		127	* xterm.c (x_io_error_quitter): Don't overrun sprintf buffer.
		128
		129	* xterm.h (x_check_errors): Add ATTRIBUTE_FORMAT_PRINTF.
		130
		131	2011-09-04 Paul Eggert <eggert@cs.ucla.edu>
		132
		133	Integer overflow fixes for scrolling, etc.
		134	Without these, Emacs silently mishandles large integers sometimes.
		135	For example, "C-u 4294967297 M-x recenter" was treated as if
		136	it were "C-u 1 M-x recenter" on a typical 64-bit host.
		137
		138	* xdisp.c (try_window_id): Check Emacs fixnum range before
		139	converting to 'int'.
		140
		141	* window.c (window_scroll_line_based, Frecenter):
		142	Check that an Emacs fixnum is in range before assigning it to 'int'.
		143	(Frecenter, Fmove_to_window_line): Use EMACS_INT, not int, for
		144	values converted from Emacs fixnums.
		145	(Frecenter): Don't wrap around a line count if it is out of 'int'
		146	range; instead, treat it as an extreme value.
		147	(Fset_window_configuration, compare_window_configurations):
		148	Use ptrdiff_t, not int, for index that might exceed 2 GiB.
		149
		150	* search.c (Freplace_match): Use ptrdiff_t, not int, for indexes
		151	that can exceed INT_MAX. Check that EMACS_INT value is in range
		152	before assigning it to the (possibly-narrower) index.
		153	(match_limit): Don't assume that a fixnum can fit in 'int'.
		154
		155	* print.c (print_object): Use ptrdiff_t, not int, for index that can
		156	exceed INT_MAX.
		157
		158	* indent.c (position_indentation): Now takes ptrdiff_t, not int.
		159	(Fvertical_motion): Don't wrap around LINES values that don't fit
		160	in 'int'. Instead, treat them as extreme values. This is good
		161	enough for windows, which can't have more than INT_MAX lines anyway.
		162
		163	2011-09-03 Lars Magne Ingebrigtsen <larsi@gnus.org>
		164
		165	* Require libxml/parser.h to avoid compilation warning.
		166
		167	* emacs.c (shut_down_emacs): Call xmlCleanupParser on shutdown.
		168
		169	* xml.c (parse_region): Don't call xmlCleanupParser after parsing,
		170	since this reportedly can destroy thread storage.
		171
20	2011-08-30 Chong Yidong <cyd@stupidchicken.com>	172	2011-08-30 Chong Yidong <cyd@stupidchicken.com>
21		173
22	* syntax.c (find_defun_start): Update all cache variables if	174	* syntax.c (find_defun_start): Update all cache variables if