1 files changed, 25 insertions, 39 deletions
diff --git a/src/buffer.c b/src/buffer.c
index cacc8a41339..b61d083c3e6 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2568,13 +2568,10 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
                 Either make it bigger, or don't store any more in it.  */
              if (extend)
                {
-                  if ((OVERLAY_COUNT_MAX - 4) / 2 < len)
+                  vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
-                    memory_full (SIZE_MAX);
+                                 sizeof *vec);
-                  /* Make it work with an initial len == 0.  */
-                  len = len * 2 + 4;
-                  vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
                  *vec_ptr = vec;
-                  *len_ptr = len;
+                  len = *len_ptr;
                }
              else
                inhibit_storing = 1;
@@ -2611,13 +2608,10 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
            {
              if (extend)
                {
-                  if ((OVERLAY_COUNT_MAX - 4) / 2 < len)
+                  vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
-                    memory_full (SIZE_MAX);
+                                 sizeof *vec);
-                  /* Make it work with an initial len == 0.  */
-                  len = len * 2 + 4;
-                  vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
                  *vec_ptr = vec;
-                  *len_ptr = len;
+                  len = *len_ptr;
                }
              else
                inhibit_storing = 1;
@@ -2708,13 +2702,10 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
                 Either make it bigger, or don't store any more in it.  */
              if (extend)
                {
-                  if ((OVERLAY_COUNT_MAX - 4) / 2 < len)
+                  vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
-                    memory_full (SIZE_MAX);
+                                 sizeof *vec);
-                  /* Make it work with an initial len == 0.  */
-                  len = len * 2 + 4;
-                  vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
                  *vec_ptr = vec;
-                  *len_ptr = len;
+                  len = *len_ptr;
                }
              else
                inhibit_storing = 1;
@@ -2756,13 +2747,10 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
            {
              if (extend)
                {
-                  if ((OVERLAY_COUNT_MAX - 4) / 2 < len)
+                  vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
-                    memory_full (SIZE_MAX);
+                                 sizeof *vec);
-                  /* Make it work with an initial len == 0.  */
-                  len = len * 2 + 4;
-                  vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
                  *vec_ptr = vec;
-                  *len_ptr = len;
+                  len = *len_ptr;
                }
              else
                inhibit_storing = 1;
@@ -2944,7 +2932,7 @@ struct sortstrlist
  struct sortstr *buf;  /* An array that expands as needed; never freed.  */
  ptrdiff_t size;       /* Allocated length of that array.  */
  ptrdiff_t used;       /* How much of the array is currently in use.  */
-  EMACS_INT bytes;              /* Total length of the strings in buf.  */
+  ptrdiff_t bytes;      /* Total length of the strings in buf.  */
 };
 /* Buffers for storing information about the overlays touching a given
@@ -2977,14 +2965,7 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
  EMACS_INT nbytes;
  if (ssl->used == ssl->size)
-    {
+    ssl->buf = xpalloc (ssl->buf, &ssl->size, 5, -1, sizeof *ssl->buf);
-      ptrdiff_t ssl_size = 0 < ssl->size ? ssl->size * 2 : 5;
-      if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (struct sortstr) < ssl_size)
-        memory_full (SIZE_MAX);
-      ssl->buf = ((struct sortstr *)
-                  xrealloc (ssl->buf, ssl_size * sizeof (struct sortstr)));
-      ssl->size = ssl_size;
-    }
  ssl->buf[ssl->used].string = str;
  ssl->buf[ssl->used].string2 = str2;
  ssl->buf[ssl->used].size = size;
@@ -2999,6 +2980,8 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
  else
    nbytes = SBYTES (str);
+  if (INT_ADD_OVERFLOW (ssl->bytes, nbytes))
+    memory_full (SIZE_MAX);
  ssl->bytes += nbytes;
  if (STRINGP (str2))
@@ -3011,6 +2994,8 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
      else
        nbytes = SBYTES (str2);
+      if (INT_ADD_OVERFLOW (ssl->bytes, nbytes))
+        memory_full (SIZE_MAX);
      ssl->bytes += nbytes;
    }
 }
@@ -3104,14 +3089,15 @@ overlay_strings (EMACS_INT pos, struct window *w, unsigned char **pstr)
      Lisp_Object tem;
      EMACS_INT i;
      unsigned char *p;
-      EMACS_INT total = overlay_heads.bytes + overlay_tails.bytes;
+      ptrdiff_t total;
+      if (INT_ADD_OVERFLOW (overlay_heads.bytes, overlay_tails.bytes))
+        memory_full (SIZE_MAX);
+      total = overlay_heads.bytes + overlay_tails.bytes;
      if (total > overlay_str_len)
-        {
+        overlay_str_buf = xpalloc (overlay_str_buf, &overlay_str_len,
-          overlay_str_buf = (unsigned char *)xrealloc (overlay_str_buf,
+                                   total - overlay_str_len, -1, 1);
-                                                       total);
-          overlay_str_len = total;
-        }
      p = overlay_str_buf;
      for (i = overlay_tails.used; --i >= 0;)
        {

diff --git a/src/buffer.c b/src/buffer.c index cacc8a41339..b61d083c3e6 100644 --- a/src/buffer.c +++ b/src/buffer.c
@@ -2568,13 +2568,10 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
2568	Either make it bigger, or don't store any more in it. */	2568	Either make it bigger, or don't store any more in it. */
2569	if (extend)	2569	if (extend)
2570	{	2570	{
2571	if ((OVERLAY_COUNT_MAX - 4) / 2 < len)	2571	vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
2572	memory_full (SIZE_MAX);	2572	sizeof *vec);
2573	/* Make it work with an initial len == 0. */
2574	len = len * 2 + 4;
2575	vec = (Lisp_Object ) xrealloc (vec, len sizeof (Lisp_Object));
2576	*vec_ptr = vec;	2573	*vec_ptr = vec;
2577	*len_ptr = len;	2574	len = *len_ptr;
2578	}	2575	}
2579	else	2576	else
2580	inhibit_storing = 1;	2577	inhibit_storing = 1;
@@ -2611,13 +2608,10 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
2611	{	2608	{
2612	if (extend)	2609	if (extend)
2613	{	2610	{
2614	if ((OVERLAY_COUNT_MAX - 4) / 2 < len)	2611	vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
2615	memory_full (SIZE_MAX);	2612	sizeof *vec);
2616	/* Make it work with an initial len == 0. */
2617	len = len * 2 + 4;
2618	vec = (Lisp_Object ) xrealloc (vec, len sizeof (Lisp_Object));
2619	*vec_ptr = vec;	2613	*vec_ptr = vec;
2620	*len_ptr = len;	2614	len = *len_ptr;
2621	}	2615	}
2622	else	2616	else
2623	inhibit_storing = 1;	2617	inhibit_storing = 1;
@@ -2708,13 +2702,10 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
2708	Either make it bigger, or don't store any more in it. */	2702	Either make it bigger, or don't store any more in it. */
2709	if (extend)	2703	if (extend)
2710	{	2704	{
2711	if ((OVERLAY_COUNT_MAX - 4) / 2 < len)	2705	vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
2712	memory_full (SIZE_MAX);	2706	sizeof *vec);
2713	/* Make it work with an initial len == 0. */
2714	len = len * 2 + 4;
2715	vec = (Lisp_Object ) xrealloc (vec, len sizeof (Lisp_Object));
2716	*vec_ptr = vec;	2707	*vec_ptr = vec;
2717	*len_ptr = len;	2708	len = *len_ptr;
2718	}	2709	}
2719	else	2710	else
2720	inhibit_storing = 1;	2711	inhibit_storing = 1;
@@ -2756,13 +2747,10 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
2756	{	2747	{
2757	if (extend)	2748	if (extend)
2758	{	2749	{
2759	if ((OVERLAY_COUNT_MAX - 4) / 2 < len)	2750	vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
2760	memory_full (SIZE_MAX);	2751	sizeof *vec);
2761	/* Make it work with an initial len == 0. */
2762	len = len * 2 + 4;
2763	vec = (Lisp_Object ) xrealloc (vec, len sizeof (Lisp_Object));
2764	*vec_ptr = vec;	2752	*vec_ptr = vec;
2765	*len_ptr = len;	2753	len = *len_ptr;
2766	}	2754	}
2767	else	2755	else
2768	inhibit_storing = 1;	2756	inhibit_storing = 1;
@@ -2944,7 +2932,7 @@ struct sortstrlist
2944	struct sortstr buf; / An array that expands as needed; never freed. */	2932	struct sortstr buf; / An array that expands as needed; never freed. */
2945	ptrdiff_t size; /* Allocated length of that array. */	2933	ptrdiff_t size; /* Allocated length of that array. */
2946	ptrdiff_t used; /* How much of the array is currently in use. */	2934	ptrdiff_t used; /* How much of the array is currently in use. */
2947	EMACS_INT bytes; /* Total length of the strings in buf. */	2935	ptrdiff_t bytes; /* Total length of the strings in buf. */
2948	};	2936	};
2949		2937
2950	/* Buffers for storing information about the overlays touching a given	2938	/* Buffers for storing information about the overlays touching a given
@@ -2977,14 +2965,7 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
2977	EMACS_INT nbytes;	2965	EMACS_INT nbytes;
2978		2966
2979	if (ssl->used == ssl->size)	2967	if (ssl->used == ssl->size)
2980	{	2968	ssl->buf = xpalloc (ssl->buf, &ssl->size, 5, -1, sizeof *ssl->buf);
2981	ptrdiff_t ssl_size = 0 < ssl->size ? ssl->size * 2 : 5;
2982	if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (struct sortstr) < ssl_size)
2983	memory_full (SIZE_MAX);
2984	ssl->buf = ((struct sortstr *)
2985	xrealloc (ssl->buf, ssl_size * sizeof (struct sortstr)));
2986	ssl->size = ssl_size;
2987	}
2988	ssl->buf[ssl->used].string = str;	2969	ssl->buf[ssl->used].string = str;
2989	ssl->buf[ssl->used].string2 = str2;	2970	ssl->buf[ssl->used].string2 = str2;
2990	ssl->buf[ssl->used].size = size;	2971	ssl->buf[ssl->used].size = size;
@@ -2999,6 +2980,8 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
2999	else	2980	else
3000	nbytes = SBYTES (str);	2981	nbytes = SBYTES (str);
3001		2982
		2983	if (INT_ADD_OVERFLOW (ssl->bytes, nbytes))
		2984	memory_full (SIZE_MAX);
3002	ssl->bytes += nbytes;	2985	ssl->bytes += nbytes;
3003		2986
3004	if (STRINGP (str2))	2987	if (STRINGP (str2))
@@ -3011,6 +2994,8 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
3011	else	2994	else
3012	nbytes = SBYTES (str2);	2995	nbytes = SBYTES (str2);
3013		2996
		2997	if (INT_ADD_OVERFLOW (ssl->bytes, nbytes))
		2998	memory_full (SIZE_MAX);
3014	ssl->bytes += nbytes;	2999	ssl->bytes += nbytes;
3015	}	3000	}
3016	}	3001	}
@@ -3104,14 +3089,15 @@ overlay_strings (EMACS_INT pos, struct window w, unsigned char *pstr)
3104	Lisp_Object tem;	3089	Lisp_Object tem;
3105	EMACS_INT i;	3090	EMACS_INT i;
3106	unsigned char *p;	3091	unsigned char *p;
3107	EMACS_INT total = overlay_heads.bytes + overlay_tails.bytes;	3092	ptrdiff_t total;
3108		3093
		3094	if (INT_ADD_OVERFLOW (overlay_heads.bytes, overlay_tails.bytes))
		3095	memory_full (SIZE_MAX);
		3096	total = overlay_heads.bytes + overlay_tails.bytes;
3109	if (total > overlay_str_len)	3097	if (total > overlay_str_len)
3110	{	3098	overlay_str_buf = xpalloc (overlay_str_buf, &overlay_str_len,
3111	overlay_str_buf = (unsigned char *)xrealloc (overlay_str_buf,	3099	total - overlay_str_len, -1, 1);
3112	total);	3100
3113	overlay_str_len = total;
3114	}
3115	p = overlay_str_buf;	3101	p = overlay_str_buf;
3116	for (i = overlay_tails.used; --i >= 0;)	3102	for (i = overlay_tails.used; --i >= 0;)
3117	{	3103	{