1 files changed, 148 insertions, 0 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 52ec796d6cf..9a512210497 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,151 @@
+2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
+        sprintf-related integer and memory overflow issues (Bug#9412).
+        * doprnt.c (doprnt): Support printing ptrdiff_t and intmax_t values.
+        (esprintf, exprintf, evxprintf): New functions.
+        * keyboard.c (command_loop_level): Now EMACS_INT, not int.
+        (cmd_error): kbd macro iterations count is now EMACS_INT, not int.
+        (modify_event_symbol): Do not assume that the length of
+        name_alist_or_stem is safe to alloca and fits in int.
+        (Fexecute_extended_command): Likewise for function name and binding.
+        (Frecursion_depth): Wrap around reliably on integer overflow.
+        * keymap.c (push_key_description): First arg is now EMACS_INT, not int,
+        since some callers pass EMACS_INT values.
+        (Fsingle_key_description): Don't crash if symbol name contains more
+        than MAX_ALLOCA bytes.
+        * minibuf.c (minibuf_level): Now EMACS_INT, not int.
+        (get_minibuffer): Arg is now EMACS_INT, not int.
+        * lisp.h (get_minibuffer, push_key_description): Reflect API changes.
+        (esprintf, exprintf, evxprintf): New decls.
+        * window.h (command_loop_level, minibuf_level): Reflect API changes.
+        * dbusbind.c (signature_cat): New function.
+        (xd_signature, Fdbus_register_signal):
+        Do not overrun buffer; instead, report string overflow.
+        * dispnew.c (add_window_display_history): Don't overrun buffer.
+        Truncate instead; this is OK since it's just a log.
+        * editfns.c (Fcurrent_time_zone): Don't overrun buffer
+        even if the time zone offset is outlandishly large.
+        Don't mishandle offset == INT_MIN.
+        * emacs.c (main) [NS_IMPL_COCOA]: Don't overrun buffer
+        when creating daemon; the previous buffer-overflow check was incorrect.
+        * eval.c (verror): Simplify by rewriting in terms of evxprintf,
+        which has the guts of the old verror function.
+        * filelock.c (lock_file_1, lock_file): Don't blindly alloca long name;
+        use SAFE_ALLOCA instead.  Use esprintf to avoid int-overflow issues.
+        * font.c: Include <float.h>, for DBL_MAX_10_EXP.
+        (font_unparse_xlfd): Don't blindly alloca long strings.
+        Don't assume XINT result fits in int, or that XFLOAT_DATA * 10
+        fits in int, when using sprintf.  Use single snprintf to count
+        length of string rather than counting it via multiple sprintfs;
+        that's simpler and more reliable.
+        (font_unparse_fcname): Use it to avoid sprintf buffer overrun.
+        (generate_otf_features) [0 && HAVE_LIBOTF]: Use esprintf, not
+        sprintf, in case result does not fit in int.
+        * fontset.c (num_auto_fontsets): Now printmax_t, not int.
+        (fontset_from_font): Print it.
+        * frame.c (tty_frame_count): Now printmax_t, not int.
+        (make_terminal_frame, set_term_frame_name): Print it.
+        (x_report_frame_params): In X, window IDs are unsigned long,
+        not signed long, so print them as unsigned.
+        (validate_x_resource_name): Check for implausibly long names,
+        and don't assume name length fits in 'int'.
+        (x_get_resource_string): Don't blindly alloca invocation name;
+        use SAFE_ALLOCA.  Use esprintf, not sprintf, in case result does
+        not fit in int.
+        * gtkutil.c: Include <float.h>, for DBL_MAX_10_EXP.
+        (xg_check_special_colors, xg_set_geometry):
+        Make sprintf buffers a bit bigger, to avoid potential buffer overrun.
+        * lread.c (dir_warning): Don't blindly alloca buffer; use SAFE_ALLOCA.
+        Use esprintf, not sprintf, in case result does not fit in int.
+        * macros.c (executing_kbd_macro_iterations): Now EMACS_INT, not int.
+        (Fend_kbd_macro): Don't mishandle MOST_NEGATIVE_FIXNUM by treating
+        it as a large positive number.
+        (Fexecute_kbd_macro): Don't assume repeat count fits in int.
+        * macros.h (executing_kbd_macro_iterations): Now EMACS_INT, not int.
+        * nsterm.m ((NSSize)windowWillResize): Use esprintf, not sprintf,
+        in case result does not fit in int.
+        * print.c (float_to_string): Detect width overflow more reliably.
+        (print_object): Make sprintf buffer a bit bigger, to avoid potential
+        buffer overrun.  Don't assume list length fits in 'int'.  Treat
+        print length of 0 as 0, not as infinity; to be consistent with other
+        uses of print length in this function.  Don't overflow print length
+        index.  Don't assume hash table size fits in 'long', or that
+        vectorlike size fits in 'unsigned long'.
+        * process.c (make_process): Use printmax_t, not int, to format
+        process-name gensyms.
+        * sysdep.c (snprintf) [! HAVE_SNPRINTF]: New function.
+        * term.c (produce_glyphless_glyph): Make sprintf buffer a bit bigger
+        to avoid potential buffer overrun.
+        * xfaces.c (x_update_menu_appearance): Don't overrun buffer
+        if X resource line is longer than 512 bytes.
+        * xfns.c (x_window): Make sprintf buffer a bit bigger
+        to avoid potential buffer overrun.
+        * xterm.c (x_io_error_quitter): Don't overrun sprintf buffer.
+        * xterm.h (x_check_errors): Add ATTRIBUTE_FORMAT_PRINTF.
+2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
+        Integer overflow fixes for scrolling, etc.
+        Without these, Emacs silently mishandles large integers sometimes.
+        For example, "C-u 4294967297 M-x recenter" was treated as if
+        it were "C-u 1 M-x recenter" on a typical 64-bit host.
+        * xdisp.c (try_window_id): Check Emacs fixnum range before
+        converting to 'int'.
+        * window.c (window_scroll_line_based, Frecenter):
+        Check that an Emacs fixnum is in range before assigning it to 'int'.
+        (Frecenter, Fmove_to_window_line): Use EMACS_INT, not int, for
+        values converted from Emacs fixnums.
+        (Frecenter): Don't wrap around a line count if it is out of 'int'
+        range; instead, treat it as an extreme value.
+        (Fset_window_configuration, compare_window_configurations):
+        Use ptrdiff_t, not int, for index that might exceed 2 GiB.
+        * search.c (Freplace_match): Use ptrdiff_t, not int, for indexes
+        that can exceed INT_MAX.  Check that EMACS_INT value is in range
+        before assigning it to the (possibly-narrower) index.
+        (match_limit): Don't assume that a fixnum can fit in 'int'.
+        * print.c (print_object): Use ptrdiff_t, not int, for index that can
+        exceed INT_MAX.
+        * indent.c (position_indentation): Now takes ptrdiff_t, not int.
+        (Fvertical_motion): Don't wrap around LINES values that don't fit
+        in 'int'.  Instead, treat them as extreme values.  This is good
+        enough for windows, which can't have more than INT_MAX lines anyway.
+2011-09-03  Lars Magne Ingebrigtsen  <larsi@gnus.org>
+        * Require libxml/parser.h to avoid compilation warning.
+        * emacs.c (shut_down_emacs): Call xmlCleanupParser on shutdown.
+        * xml.c (parse_region): Don't call xmlCleanupParser after parsing,
+        since this reportedly can destroy thread storage.
 2011-08-30  Chong Yidong  <cyd@stupidchicken.com>
        * syntax.c (find_defun_start): Update all cache variables if

diff --git a/src/ChangeLog b/src/ChangeLog index 52ec796d6cf..9a512210497 100644 --- a/src/ChangeLog +++ b/src/ChangeLog
@@ -1,3 +1,151 @@
		1	2011-09-04 Paul Eggert <eggert@cs.ucla.edu>
		2
		3	sprintf-related integer and memory overflow issues (Bug#9412).
		4
		5	* doprnt.c (doprnt): Support printing ptrdiff_t and intmax_t values.
		6	(esprintf, exprintf, evxprintf): New functions.
		7	* keyboard.c (command_loop_level): Now EMACS_INT, not int.
		8	(cmd_error): kbd macro iterations count is now EMACS_INT, not int.
		9	(modify_event_symbol): Do not assume that the length of
		10	name_alist_or_stem is safe to alloca and fits in int.
		11	(Fexecute_extended_command): Likewise for function name and binding.
		12	(Frecursion_depth): Wrap around reliably on integer overflow.
		13	* keymap.c (push_key_description): First arg is now EMACS_INT, not int,
		14	since some callers pass EMACS_INT values.
		15	(Fsingle_key_description): Don't crash if symbol name contains more
		16	than MAX_ALLOCA bytes.
		17	* minibuf.c (minibuf_level): Now EMACS_INT, not int.
		18	(get_minibuffer): Arg is now EMACS_INT, not int.
		19	* lisp.h (get_minibuffer, push_key_description): Reflect API changes.
		20	(esprintf, exprintf, evxprintf): New decls.
		21	* window.h (command_loop_level, minibuf_level): Reflect API changes.
		22
		23	* dbusbind.c (signature_cat): New function.
		24	(xd_signature, Fdbus_register_signal):
		25	Do not overrun buffer; instead, report string overflow.
		26
		27	* dispnew.c (add_window_display_history): Don't overrun buffer.
		28	Truncate instead; this is OK since it's just a log.
		29
		30	* editfns.c (Fcurrent_time_zone): Don't overrun buffer
		31	even if the time zone offset is outlandishly large.
		32	Don't mishandle offset == INT_MIN.
		33
		34	* emacs.c (main) [NS_IMPL_COCOA]: Don't overrun buffer
		35	when creating daemon; the previous buffer-overflow check was incorrect.
		36
		37	* eval.c (verror): Simplify by rewriting in terms of evxprintf,
		38	which has the guts of the old verror function.
		39
		40	* filelock.c (lock_file_1, lock_file): Don't blindly alloca long name;
		41	use SAFE_ALLOCA instead. Use esprintf to avoid int-overflow issues.
		42
		43	* font.c: Include <float.h>, for DBL_MAX_10_EXP.
		44	(font_unparse_xlfd): Don't blindly alloca long strings.
		45	Don't assume XINT result fits in int, or that XFLOAT_DATA * 10
		46	fits in int, when using sprintf. Use single snprintf to count
		47	length of string rather than counting it via multiple sprintfs;
		48	that's simpler and more reliable.
		49	(font_unparse_fcname): Use it to avoid sprintf buffer overrun.
		50	(generate_otf_features) [0 && HAVE_LIBOTF]: Use esprintf, not
		51	sprintf, in case result does not fit in int.
		52
		53	* fontset.c (num_auto_fontsets): Now printmax_t, not int.
		54	(fontset_from_font): Print it.
		55
		56	* frame.c (tty_frame_count): Now printmax_t, not int.
		57	(make_terminal_frame, set_term_frame_name): Print it.
		58	(x_report_frame_params): In X, window IDs are unsigned long,
		59	not signed long, so print them as unsigned.
		60	(validate_x_resource_name): Check for implausibly long names,
		61	and don't assume name length fits in 'int'.
		62	(x_get_resource_string): Don't blindly alloca invocation name;
		63	use SAFE_ALLOCA. Use esprintf, not sprintf, in case result does
		64	not fit in int.
		65
		66	* gtkutil.c: Include <float.h>, for DBL_MAX_10_EXP.
		67	(xg_check_special_colors, xg_set_geometry):
		68	Make sprintf buffers a bit bigger, to avoid potential buffer overrun.
		69
		70	* lread.c (dir_warning): Don't blindly alloca buffer; use SAFE_ALLOCA.
		71	Use esprintf, not sprintf, in case result does not fit in int.
		72
		73	* macros.c (executing_kbd_macro_iterations): Now EMACS_INT, not int.
		74	(Fend_kbd_macro): Don't mishandle MOST_NEGATIVE_FIXNUM by treating
		75	it as a large positive number.
		76	(Fexecute_kbd_macro): Don't assume repeat count fits in int.
		77	* macros.h (executing_kbd_macro_iterations): Now EMACS_INT, not int.
		78
		79	* nsterm.m ((NSSize)windowWillResize): Use esprintf, not sprintf,
		80	in case result does not fit in int.
		81
		82	* print.c (float_to_string): Detect width overflow more reliably.
		83	(print_object): Make sprintf buffer a bit bigger, to avoid potential
		84	buffer overrun. Don't assume list length fits in 'int'. Treat
		85	print length of 0 as 0, not as infinity; to be consistent with other
		86	uses of print length in this function. Don't overflow print length
		87	index. Don't assume hash table size fits in 'long', or that
		88	vectorlike size fits in 'unsigned long'.
		89
		90	* process.c (make_process): Use printmax_t, not int, to format
		91	process-name gensyms.
		92
		93	* sysdep.c (snprintf) [! HAVE_SNPRINTF]: New function.
		94
		95	* term.c (produce_glyphless_glyph): Make sprintf buffer a bit bigger
		96	to avoid potential buffer overrun.
		97
		98	* xfaces.c (x_update_menu_appearance): Don't overrun buffer
		99	if X resource line is longer than 512 bytes.
		100
		101	* xfns.c (x_window): Make sprintf buffer a bit bigger
		102	to avoid potential buffer overrun.
		103
		104	* xterm.c (x_io_error_quitter): Don't overrun sprintf buffer.
		105
		106	* xterm.h (x_check_errors): Add ATTRIBUTE_FORMAT_PRINTF.
		107
		108	2011-09-04 Paul Eggert <eggert@cs.ucla.edu>
		109
		110	Integer overflow fixes for scrolling, etc.
		111	Without these, Emacs silently mishandles large integers sometimes.
		112	For example, "C-u 4294967297 M-x recenter" was treated as if
		113	it were "C-u 1 M-x recenter" on a typical 64-bit host.
		114
		115	* xdisp.c (try_window_id): Check Emacs fixnum range before
		116	converting to 'int'.
		117
		118	* window.c (window_scroll_line_based, Frecenter):
		119	Check that an Emacs fixnum is in range before assigning it to 'int'.
		120	(Frecenter, Fmove_to_window_line): Use EMACS_INT, not int, for
		121	values converted from Emacs fixnums.
		122	(Frecenter): Don't wrap around a line count if it is out of 'int'
		123	range; instead, treat it as an extreme value.
		124	(Fset_window_configuration, compare_window_configurations):
		125	Use ptrdiff_t, not int, for index that might exceed 2 GiB.
		126
		127	* search.c (Freplace_match): Use ptrdiff_t, not int, for indexes
		128	that can exceed INT_MAX. Check that EMACS_INT value is in range
		129	before assigning it to the (possibly-narrower) index.
		130	(match_limit): Don't assume that a fixnum can fit in 'int'.
		131
		132	* print.c (print_object): Use ptrdiff_t, not int, for index that can
		133	exceed INT_MAX.
		134
		135	* indent.c (position_indentation): Now takes ptrdiff_t, not int.
		136	(Fvertical_motion): Don't wrap around LINES values that don't fit
		137	in 'int'. Instead, treat them as extreme values. This is good
		138	enough for windows, which can't have more than INT_MAX lines anyway.
		139
		140	2011-09-03 Lars Magne Ingebrigtsen <larsi@gnus.org>
		141
		142	* Require libxml/parser.h to avoid compilation warning.
		143
		144	* emacs.c (shut_down_emacs): Call xmlCleanupParser on shutdown.
		145
		146	* xml.c (parse_region): Don't call xmlCleanupParser after parsing,
		147	since this reportedly can destroy thread storage.
		148
1	2011-08-30 Chong Yidong <cyd@stupidchicken.com>	149	2011-08-30 Chong Yidong <cyd@stupidchicken.com>
2		150
3	* syntax.c (find_defun_start): Update all cache variables if	151	* syntax.c (find_defun_start): Update all cache variables if