aboutsummaryrefslogtreecommitdiffstats
path: root/src/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'src/ChangeLog')
-rw-r--r--src/ChangeLog463
1 files changed, 463 insertions, 0 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index 431a515def5..7eb18593993 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,466 @@
12011-08-27 Paul Eggert <eggert@cs.ucla.edu>
2
3 * ccl.c: Improve and simplify overflow checking (Bug#9196).
4 (ccl_driver): Do not generate an out-of-range pointer.
5 (Fccl_execute_on_string): Remove unnecessary check for
6 integer overflow, noted by Stefan Monnier in
7 <http://lists.gnu.org/archive/html/emacs-devel/2011-08/msg00979.html>.
8 Remove a FIXME that didn't need fixing.
9 Simplify the newly-introduced buffer reallocation code.
10
112011-08-27 Juanma Barranquero <lekktu@gmail.com>
12
13 * makefile.w32-in ($(BLD)/alloc.$(O)): Depend on lib/verify.h.
14
152011-08-26 Paul Eggert <eggert@cs.ucla.edu>
16
17 Integer and memory overflow issues (Bug#9196).
18
19 * doc.c (get_doc_string): Rework so that
20 get_doc_string_buffer_size is the actual buffer size, rather than
21 being 1 less than the actual buffer size; this makes xpalloc more
22 convenient.
23
24 * image.c (x_allocate_bitmap_record, cache_image):
25 * xselect.c (Fx_register_dnd_atom):
26 Simplify previous changes by using xpalloc.
27
28 * buffer.c (overlay_str_len): Now ptrdiff_t, not EMACS_INT,
29 since either will do and ptrdiff_t is convenient with xpalloc.
30
31 * charset.c (charset_table_size)
32 (struct charset_sort_data.priority): Now ptrdiff_t.
33 (charset_compare): Don't overflow if priorities differ greatly.
34 (Fsort_charsets): Don't assume list length fits in int.
35 Check for size-calculation overflow when allocating sort data.
36 (syms_of_charset): Allocate an initial charset table that is
37 just under 64 KiB, to avoid problems with glibc malloc and mmap.
38
39 * cmds.c (internal_self_insert): Check for size-calculation overflow.
40
41 * composite.h (struct composition.glyph_len): Now int, not unsigned.
42 The actual value is always <= INT_MAX, and leaving it unsigned made
43 overflow checking harder.
44
45 * dispextern.h (struct glyph_matrix.rows_allocated)
46 (struct face_cache.size): Now ptrdiff_t, for convenience in use
47 with xpalloc. The values are still always <= INT_MAX.
48
49 * indent.c (compute_motion): Adjust to region_cache_forward sig change.
50
51 * lisp.h (xnmalloc, xnrealloc, xpalloc): New decls.
52 (SAFE_NALLOCA): New macro.
53
54 * region-cache.c (struct boundary.pos, find_cache_boundary)
55 (move_cache_gap, insert_cache_boundary, delete_cache_boundaries)
56 (set_cache_region, invalidate_region_cache)
57 (revalidate_region_cache, know_region_cache, region_cache_forward)
58 (region_cache_backward, pp_cache):
59 Use ptrdiff_t, not EMACS_INT, since either will do. This is needed
60 so that ptrdiff_t * can be passed to xpalloc.
61 (struct region_cache): Similarly, for gap_start, gap_len, cache_len,
62 beg_unchanged, end_unchanged, buffer_beg, buffer_end members.
63 (pp_cache): Don't assume cache_len fits in int.
64 * region-cache.h: Adjust extern decls to match.
65
66 * search.c (scan_buffer, Freplace_match): Use ptrdiff_t, not
67 EMACS_INT, since either will do, for xpalloc.
68
69 * alloc.c: Include verify.h, and check that int fits in ptrdiff_t.
70 (xnmalloc, xnrealloc, xpalloc): New functions.
71
72 * bidi.c (bidi_shelve_header_size): New constant.
73 (bidi_cache_ensure_space, bidi_shelve_cache): Use it.
74 (bidi_cache_ensure_space): Avoid integer overflow when allocating.
75
76 * bidi.c (bidi_cache_shrink):
77 * buffer.c (overlays_at, overlays_in, record_overlay_string)
78 (overlay_strings):
79 Don't update size of array until after memory allocation succeeds,
80 because xmalloc/xrealloc may not return.
81 (struct sortstrlist.bytes): Now ptrdiff_t, as EMACS_INT doesn't help
82 now that we have proper integer overflow checking.
83 (record_overlay_string, overlay_strings): Catch overflows when
84 calculating size of overlay_str_buf.
85
86 * callproc.c (Fcall_process): Check for size overflow when
87 calculating size of args2.
88 (child_setup): Avoid overflow by using size_t rather than ptrdiff_t.
89 Normally we prefer signed values, but sticking with ptrdiff_t would
90 require adding more-complicated checks.
91
92 * ccl.c (Fccl_execute_on_string): Check for memory overflow.
93 Use ptrdiff_t rather than EMACS_INT where ptrdiff_t will do.
94 Redo buffer-overflow calculations to avoid integer overflow.
95 Add a FIXME comment where memory seems to be over-allocated.
96
97 * character.c (Fstring): Check for size-calculation overflow.
98
99 * coding.c (produce_chars): Redo buffer-overflow calculations to avoid
100 unnecessary integer overflow. Check for size overflow.
101 (encode_coding_object): Don't update size until xmalloc succeeds.
102
103 * composite.c (get_composition_id): Check for overflow in glyph
104 length calculations.
105
106 Integer and memory overflow fixes for display code.
107 * dispextern.h (struct glyph_pool.nglyphs): Now ptrdiff_t, not int.
108 * dispnew.c (adjust_glyph_matrix, realloc_glyph_pool)
109 (scrolling_window): Check for overflow in size calculations.
110 (line_draw_cost, realloc_glyph_pool, add_row_entry):
111 Don't assume glyph table len fits in int.
112 (struct row_entry.bucket, row_entry_pool_size, row_entry_idx)
113 (row_table_size): Now ptrdiff_t, not int.
114 (scrolling_window): Avoid overflow in size calculations.
115 Don't update size until allocation succeeds.
116 * fns.c (concat): Check for overflow in size calculations.
117 (next_almost_prime): Verify NEXT_ALMOST_PRIME_LIMIT.
118 * lisp.h (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): New macros.
119 (NEXT_ALMOST_PRIME_LIMIT): New constant.
120
121 * doc.c (get_doc_string_buffer_size): Now ptrdiff_t, not int.
122 (get_doc_string): Check for size calculation overflow.
123 Don't update size until allocation succeeds.
124 (get_doc_string, Fsubstitute_command_keys): Use ptrdiff_t, not
125 EMACS_INT, where ptrdiff_t will do.
126 (Fsubstitute_command_keys): Check for string overflow.
127
128 * editfns.c (set_time_zone_rule): Don't assume environment length
129 fits in int.
130 (message_length): Now ptrdiff_t, not int.
131 (Fmessage_box): Don't update size until allocation succeeds.
132 Don't assume message length fits in int.
133 (Fformat): Use ptrdiff_t, not EMACS_INT, where ptrdiff_t will do.
134
135 * emacs.c (main): Do not reallocate argv, since there is a null at
136 the end that can be overwritten, and this way there's no need to
137 worry about size-calculation overflow.
138 (sort_args): Check for size-calculation overflow.
139
140 * eval.c (init_eval_once, grow_specpdl): Don't update size until
141 alloc succeeds.
142 (call_debugger, grow_specpdl): Redo calculations to avoid overflow.
143
144 * frame.c (set_menu_bar_lines, x_set_frame_parameters)
145 (x_set_scroll_bar_width, x_figure_window_size):
146 Check for integer overflow.
147 (x_set_alpha): Do not assume XINT fits in int.
148
149 * frame.h (struct frame): Use int, not EMACS_INT, where int works.
150 This is for the members text_lines, text_cols, total_lines, total_cols,
151 where the system imposes an 'int' limit.
152
153 * fringe.c (Fdefine_fringe_bitmap):
154 Don't update size until alloc works.
155
156 * ftfont.c (ftfont_get_open_type_spec, setup_otf_gstring)
157 (ftfont_shape_by_flt): Check for integer overflow in size calculations.
158
159 * gtkutil.c (get_utf8_string, xg_store_widget_in_map):
160 Check for size-calculation overflow.
161 (get_utf8_string): Use ptrdiff_t, not size_t, where either will
162 do, as we prefer signed integers.
163 (id_to_widget.max_size, id_to_widget.used)
164 (xg_store_widget_in_map, xg_remove_widget_from_map)
165 (xg_get_widget_from_map, xg_get_scroll_id_for_window)
166 (xg_remove_scroll_bar, xg_update_scrollbar_pos):
167 Use and return ptrdiff_t, not int.
168 (xg_gtk_scroll_destroy): Don't assume ptrdiff_t fits in int.
169 * gtkutil.h: Change prototypes to match the above.
170
171 * image.c (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): Remove; these
172 are duplicate now that they've been promoted to lisp.h.
173 (x_allocate_bitmap_record, x_alloc_image_color)
174 (make_image_cache, cache_image, xpm_load):
175 Don't update size until alloc is done.
176 (xpm_load, lookup_rgb_color, lookup_pixel_color, x_to_xcolors)
177 (x_detect_edges):
178 Check for size calculation overflow.
179 (ct_colors_allocated_max): New constant.
180 (x_to_xcolors, x_detect_edges): Reorder multiplicands to avoid
181 overflow.
182
183 * keyboard.c (read_char, menu_bar_items, tool_bar_items)
184 (read_char_x_menu_prompt, read_char_minibuf_menu_width)
185 (read_char_minibuf_menu_prompt, follow_key, read_key_sequence):
186 Use ptrdiff_t, not int, to count maps.
187 (read_char_minibuf_menu_prompt): Check for overflow in size
188 calculations. Don't update size until allocation succeeds. Redo
189 calculations to avoid overflow.
190 * keyboard.h: Change prototypes to match the above.
191
192 * keymap.c (cmm_size, current_minor_maps): Use ptrdiff_t, not int,
193 to count maps.
194 (current_minor_maps): Check for size calculation overflow.
195 * keymap.h: Change prototypes to match the above.
196
197 * lread.c (read1, init_obarray): Don't update size until alloc done.
198
199 * macros.c (Fstart_kbd_macro): Don't update size until alloc done.
200 (store_kbd_macro_char): Reorder multiplicands to avoid overflow.
201
202 * nsterm.h (struct ns_color_table.size, struct ns_color_table.avail):
203 Now ptrdiff_t, not int.
204 * nsterm.m (ns_index_color): Use ptrdiff_t, not int, for table indexes.
205 (ns_draw_fringe_bitmap): Rewrite to avoid overflow.
206
207 * process.c (Fnetwork_interface_list): Check for overflow
208 in size calculation.
209
210 * region-cache.c (move_cache_gap): Check for size calculation overflow.
211
212 * scroll.c (do_line_insertion_deletion_costs): Check for size calc
213 overflow. Don't bother calling xmalloc when xrealloc will do.
214
215 * search.c (Freplace_match): Check for size calculation overflow.
216 (Fset_match_data): Don't assume list lengths fit in 'int'.
217
218 * sysdep.c (system_process_attributes): Use ptrdiff_t, not int,
219 for command line length. Do not attempt to address one before the
220 beginning of an array, as that's not portable.
221
222 * term.c (max_frame_lines): Remove; unused.
223 (encode_terminal_src_size, encode_terminal_dst_size): Now ptrdiff_t,
224 not int.
225 (encode_terminal_code, calculate_costs): Check for size
226 calculation overflow.
227 (encode_terminal_code): Use ptrdiff_t, not int, to record glyph
228 table lengths and related sizes. Don't update size until alloc
229 done. Redo calculations to avoid overflow.
230 (calculate_costs): Don't bother calling xmalloc when xrealloc will do.
231
232 * termcap.c (tgetent): Use ptrdiff_t, not int, to record results of
233 subtracting pointers.
234 (gobble_line): Check for overflow more carefully. Don't update size
235 until alloc done.
236
237 * tparam.c (tparam1): Use ptrdiff_t, not int, for sizes.
238 Don't update size until alloc done.
239 Redo size calculations to avoid overflow.
240 Check for size calculation overflow.
241 (main) [DEBUG]: Fix typo in invoking tparam1.
242
243 * xdisp.c (store_mode_line_noprop_char, x_consider_frame_title):
244 Use ptrdiff_t, not int, for sizes.
245 (store_mode_line_noprop_char): Don't update size until alloc done.
246
247 * xfaces.c (lface_id_to_name_size, Finternal_make_lisp_face):
248 Use ptrdiff_t, not int, for sizes.
249 (Finternal_make_lisp_face, cache_face):
250 Check for size calculation overflow.
251 (cache_face): Treat size calculation overflows as if they were
252 memory exhaustion (the usual treatment), rather than aborting.
253
254 * xfns.c (x_encode_text, x_set_name_internal)
255 (Fx_change_window_property): Use ptrdiff_t, not int, to count
256 sizes, since they can exceed INT_MAX in size. Check for size
257 calculation overflow.
258
259 * xgselect.c (gfds_size): Now ptrdiff_t, for convenience with xpalloc.
260 (xg_select): Check for size calculation overflow.
261 Don't update size until alloc done.
262
263 * xrdb.c (get_environ_db): Don't assume path length fits in int,
264 as sprintf is limited to int lengths.
265
266 * xselect.c (X_LONG_SIZE, X_SHRT_MAX, X_SHRT_MIN, X_LONG_MAX)
267 (X_LONG_MIN): New macros.
268 Use them to make the following changes clearer.
269 (MAX_SELECTION_QUANTUM): Make the other bounds on this value clearer.
270 This change doesn't affect the value now, but it may help remind
271 future maintainers not to raise the value too much later.
272 (SELECTION_QUANTUM): Remove, replacing with ...
273 (selection_quantum): ... new function, which avoids overflow.
274 All uses changed.
275 (struct selection_data.size): Now ptrdiff_t, not int, to avoid
276 assumption that selection length fits in 'int'.
277 (x_reply_selection_request, x_handle_selection_request)
278 (x_get_window_property, receive_incremental_selection)
279 (x_get_window_property_as_lisp_data, selection_data_to_lisp_data)
280 (lisp_data_to_selection_data, clean_local_selection_data):
281 Use ptrdiff_t, not int, to record length of selection.
282 (x_reply_selection_request, x_get_window_property)
283 (receive_incremental_selection, x_property_data_to_lisp):
284 Redo calculations to avoid overflow.
285 (x_reply_selection_request): When sending hint, ceiling it at
286 X_LONG_MAX rather than relying on wraparound overflow to send
287 something.
288 (x_get_window_property, receive_incremental_selection)
289 (lisp_data_to_selection_data, x_property_data_to_lisp):
290 Check for size-calculation overflow.
291 (x_get_window_property, receive_incremental_selection)
292 (lisp_data_to_selection_data, Fx_register_dnd_atom):
293 Don't store size until memory allocation succeeds.
294 (x_get_window_property): Plug memory leak on memory exhaustion.
295 Don't double-block input; malloc is safe here. Don't assume 2**34
296 - 4 fits in unsigned long. Add an xassert to check
297 XGetWindowProperty overflow. Be more careful about overflow
298 calculations, and distinguish size from memory overflow better.
299 (receive_incremental_selection): When tracing, don't assume
300 unsigned int is less than INT_MAX.
301 (x_selection_data_to_lisp_data): Remove unnecessary (and in theory
302 harmful) conversions of unsigned short to int.
303 (lisp_data_to_selection_data): Don't assume that integers
304 in the range -65535 through -1 fit in an X unsigned short.
305 Don't assume that ULONG_MAX == X_ULONG_MAX. Don't store into
306 result parameters unless successful. Rely on cons_to_unsigned
307 to report problems with elements; the old code wasn't right anyway.
308 (x_check_property_data): Check for int overflow; we cannot use
309 a wider type due to X limits.
310 (x_handle_dnd_message): Use unsigned int, to avoid int overflow.
311
312 * xsmfns.c (smc_save_yourself_CB): Check for size calc overflow.
313
314 * xterm.c (x_color_cells, x_send_scrollbar_event, handle_one_xevent)
315 (x_term_init): Check for size calculation overflow.
316 (x_color_cells): Don't store size until memory allocation succeeds.
317 (handle_one_xevent): Use ptrdiff_t, not int, for byte counts.
318 Don't assume alloca size is less than MAX_ALLOCA.
319 (x_term_init): Don't assume length fits in int (sprintf is limited
320 to int size).
321
322 Use ptrdiff_t for composition IDs.
323 * character.c (lisp_string_width):
324 * composite.c (composition_table_size, n_compositions)
325 (get_composition_id, composition_gstring_from_id):
326 * dispextern.h (struct glyph_string.cmp_id, struct composition_it.id):
327 * xdisp.c (BUILD_COMPOSITE_GLYPH_STRING):
328 * window.c (Frecenter):
329 Use ptrdiff_t, not int, for composition IDs.
330 * composite.c (get_composition_id): Check for integer overflow.
331 * composite.h: Adjust prototypes to match the above changes.
332
333 Use ptrdiff_t for hash table indexes.
334 * category.c (hash_get_category_set):
335 * ccl.c (ccl_driver):
336 * charset.h (struct charset.hash_index, CHECK_CHARSET_GET_ID):
337 * coding.c (coding_system_charset_list, detect_coding_system):
338 * coding.h (struct coding_system.id):
339 * composite.c (get_composition_id, gstring_lookup_cache):
340 * fns.c (hash_lookup, hash_put, Fgethash, Fputhash):
341 * image.c (xpm_get_color_table_h):
342 * lisp.h (hash_lookup, hash_put):
343 * minibuf.c (Ftest_completion):
344 Use ptrdiff_t for hash table indexes, not int (which is too
345 narrow, on 64-bit hosts) or EMACS_INT (which is too wide, on
346 32-bit --with-wide-int hosts).
347
348 * charset.c (Fdefine_charset_internal): Check for integer overflow.
349 Add a FIXME comment about memory leaks.
350 (syms_of_charset): Don't assume xmalloc returns.
351
352 Don't assume that stated character widths fit in int.
353 * character.c (Fchar_width, c_string_width, lisp_string_width):
354 * character.h (CHAR_WIDTH):
355 * indent.c (MULTIBYTE_BYTES_WIDTH):
356 Use sanitize_char_width to avoid undefined and/or bad behavior
357 with outlandish widths.
358 * character.h (sanitize_tab_width): Renamed from sanitize_width,
359 now that we have two such functions. All uses changed.
360 (sanitize_char_width): New inline function.
361
362 Don't assume that tab-width fits in int.
363 * character.h (sanitize_width): New inline function.
364 (SANE_TAB_WIDTH): New macro.
365 (ASCII_CHAR_WIDTH): Use it.
366 * indent.c (sane_tab_width): Remove. All uses replaced by
367 SANE_TAB_WIDTH (current_buffer).
368 * xdisp.c (init_iterator): Use SANE_TAB_WIDTH.
369
370 * fileio.c: Integer overflow issues with file modes.
371 (Fset_file_modes, auto_save_1): Don't assume EMACS_INT fits in int.
372
373 * charset.c (read_hex): New arg OVERFLOW. All uses changed.
374 Remove unreachable code.
375 (read_hex, load_charset_map_from_file): Check for integer overflow.
376
377 * xterm.c: don't go over XClientMessageEvent limit
378 (scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed.
379 (x_send_scroll_bar_event): Likewise. Check that the size does not
380 exceed limits imposed by XClientMessageEvent, as well as the usual
381 ptrdiff_t and size_t limits.
382
383 * keyboard.c: Overflow, signedness and related fixes.
384 (make_lispy_movement): Use same integer type in forward decl
385 that is used in the definition.
386 (read_key_sequence, keyremap_step):
387 Change bufsize argument back to int, undoing my 2011-03-30 change.
388 We prefer signed types, and int is wide enough here.
389 (parse_tool_bar_item): Don't assume tool_bar_max_label_size is less
390 than TYPE_MAXIMUM (EMACS_INT) / 2. Don't let the label size grow
391 larger than STRING_BYTES_BOUND. Use ptrdiff_t for Emacs string
392 length, not size_t. Use ptrdiff_t for index, not int.
393 (keyremap_step, read_key_sequence): Redo bufsize check to avoid
394 possibility of integer overflow.
395
396 Overflow, signedness and related fixes for images.
397
398 * dispextern.h (struct it.stack[0].u.image.image_id)
399 (struct_it.image_id, struct image.id, struct image_cache.size)
400 (struct image_cache.used, struct image_cache.ref_count):
401 * gtkutil.c (update_frame_tool_bar):
402 * image.c (x_reference_bitmap, Fimage_size, Fimage_mask_p)
403 (Fimage_metadata, free_image_cache, clear_image_cache, lookup_image)
404 (cache_image, mark_image_cache, x_kill_gs_process, Flookup_image):
405 * nsmenu.m (update_frame_tool_bar):
406 * xdisp.c (calc_pixel_width_or_height):
407 * xfns.c (image_cache_refcount):
408 Image IDs are now ptrdiff_t, not int, to avoid arbitrary limits
409 on typical 64-bit hosts.
410
411 * image.c (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): New macros.
412 (x_bitmap_pixmap, x_create_x_image_and_pixmap):
413 Omit unnecessary casts to int.
414 (parse_image_spec): Check that integers fall into 'int' range
415 when the callers expect that.
416 (image_ascent): Redo ascent calculation to avoid int overflow.
417 (clear_image_cache): Avoid overflow when sqrt (INT_MAX) < nimages.
418 (lookup_image): Remove unnecessary tests.
419 (xbm_image_p): Locals are now of int, not EMACS_INT,
420 since parse_image_check makes sure they fit into int.
421 (png_load, gif_load, svg_load_image):
422 Prefer int to unsigned where either will do.
423 (tiff_handler): New function, combining the cores of the
424 old tiff_error_handler and tiff_warning_handler. This
425 function is rewritten to use vsnprintf and thereby avoid
426 stack buffer overflows. It uses only the features of vsnprintf
427 that are common to both POSIX and native Microsoft.
428 (tiff_error_handler, tiff_warning_handler): Use it.
429 (tiff_load, gif_load, imagemagick_load_image):
430 Don't assume :index value fits in 'int'.
431 (gif_load): Omit unnecessary cast to double, and avoid double-rounding.
432 (imagemagick_load_image): Check that crop parameters fit into
433 the integer types that MagickCropImage accepts. Don't assume
434 Vimagemagick_render_type has a nonnegative value. Don't assume
435 size_t fits in 'long'.
436 (gs_load): Use printmax_t to print the widest integers possible.
437 Check for integer overflow when computing image height and width.
438
4392011-08-26 Eli Zaretskii <eliz@gnu.org>
440
441 * xdisp.c (redisplay_window): Don't force window start if point
442 will be invisible in the resulting window. (Bug#9324)
443
4442011-08-25 Eli Zaretskii <eliz@gnu.org>
445
446 * xdisp.c (compute_display_string_pos): Return 2 in DISP_PROP when
447 the display spec is of the form `(space ...)'.
448 (handle_display_spec): Return the value returned by
449 handle_single_display_spec, not just 1 or zero.
450 (handle_single_display_spec): If the display spec is of the form
451 `(space ...)', and specifies display in the text area, return 2
452 rather than 1.
453 (try_cursor_movement): Check for the need to scroll more
454 accurately, and prefer exact match for point under bidi. Don't
455 advance `row' beyond the last row of the window.
456
457 * dispextern.h (struct bidi_it): Rename the disp_prop_p member
458 into disp_prop; all users changed.
459
460 * bidi.c (bidi_fetch_char): If compute_display_string_pos returns
461 DISP_PROP = 2, substitute the u+2029 PARAGRAPH SEPARATOR character
462 for the text covered by the display property.
463
12011-08-25 Chong Yidong <cyd@stupidchicken.com> 4642011-08-25 Chong Yidong <cyd@stupidchicken.com>
2 465
3 * buffer.c (Fbury_buffer_internal): Rename from Funrecord_buffer. 466 * buffer.c (Fbury_buffer_internal): Rename from Funrecord_buffer.
generated by cgit v1.2.1 (git 2.18.0) at 2026-02-23 04:33:26 +0000