diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/ChangeLog | 6 | ||||
| -rw-r--r-- | src/termcap.c | 18 |
2 files changed, 16 insertions, 8 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index 7485afb00f4..24610e3de97 100644 --- a/src/ChangeLog +++ b/src/ChangeLog | |||
| @@ -1,5 +1,11 @@ | |||
| 1 | 2011-07-29 Paul Eggert <eggert@cs.ucla.edu> | 1 | 2011-07-29 Paul Eggert <eggert@cs.ucla.edu> |
| 2 | 2 | ||
| 3 | * termcap.c: Integer and memory overflow issues. | ||
| 4 | (tgetent): Use ptrdiff_t, not int, to record results of | ||
| 5 | subtracting pointers. | ||
| 6 | (gobble_line): Check for overflow more carefully. Don't update size | ||
| 7 | until alloc done. | ||
| 8 | |||
| 3 | * term.c: Integer and memory overflow issues. | 9 | * term.c: Integer and memory overflow issues. |
| 4 | (max_frame_lines): Remove; unused. | 10 | (max_frame_lines): Remove; unused. |
| 5 | (encode_terminal_src_size, encode_terminal_dst_size): Now ptrdiff_t, | 11 | (encode_terminal_src_size, encode_terminal_dst_size): Now ptrdiff_t, |
diff --git a/src/termcap.c b/src/termcap.c index 96b9303d62d..791c593c06f 100644 --- a/src/termcap.c +++ b/src/termcap.c | |||
| @@ -480,7 +480,7 @@ tgetent (char *bp, const char *name) | |||
| 480 | /* If BP is malloc'd by us, make sure it is big enough. */ | 480 | /* If BP is malloc'd by us, make sure it is big enough. */ |
| 481 | if (malloc_size) | 481 | if (malloc_size) |
| 482 | { | 482 | { |
| 483 | int offset1 = bp1 - bp, offset2 = tc_search_point - bp; | 483 | ptrdiff_t offset1 = bp1 - bp, offset2 = tc_search_point - bp; |
| 484 | malloc_size = offset1 + buf.size; | 484 | malloc_size = offset1 + buf.size; |
| 485 | bp = termcap_name = (char *) xrealloc (bp, malloc_size); | 485 | bp = termcap_name = (char *) xrealloc (bp, malloc_size); |
| 486 | bp1 = termcap_name + offset1; | 486 | bp1 = termcap_name + offset1; |
| @@ -619,7 +619,6 @@ gobble_line (int fd, register struct termcap_buffer *bufp, char *append_end) | |||
| 619 | register char *end; | 619 | register char *end; |
| 620 | register int nread; | 620 | register int nread; |
| 621 | register char *buf = bufp->beg; | 621 | register char *buf = bufp->beg; |
| 622 | register char *tem; | ||
| 623 | 622 | ||
| 624 | if (!append_end) | 623 | if (!append_end) |
| 625 | append_end = bufp->ptr; | 624 | append_end = bufp->ptr; |
| @@ -636,14 +635,17 @@ gobble_line (int fd, register struct termcap_buffer *bufp, char *append_end) | |||
| 636 | { | 635 | { |
| 637 | if (bufp->full == bufp->size) | 636 | if (bufp->full == bufp->size) |
| 638 | { | 637 | { |
| 639 | if ((PTRDIFF_MAX - 1) / 2 < bufp->size) | 638 | ptrdiff_t ptr_offset = bufp->ptr - buf; |
| 639 | ptrdiff_t append_end_offset = append_end - buf; | ||
| 640 | ptrdiff_t size; | ||
| 641 | if ((min (PTRDIFF_MAX, SIZE_MAX) - 1) / 2 < bufp->size) | ||
| 640 | memory_full (SIZE_MAX); | 642 | memory_full (SIZE_MAX); |
| 641 | bufp->size *= 2; | 643 | size = 2 * bufp->size; |
| 642 | /* Add 1 to size to ensure room for terminating null. */ | 644 | /* Add 1 to size to ensure room for terminating null. */ |
| 643 | tem = (char *) xrealloc (buf, bufp->size + 1); | 645 | bufp->beg = buf = (char *) xrealloc (buf, size + 1); |
| 644 | bufp->ptr = (bufp->ptr - buf) + tem; | 646 | bufp->size = size; |
| 645 | append_end = (append_end - buf) + tem; | 647 | bufp->ptr = buf + ptr_offset; |
| 646 | bufp->beg = buf = tem; | 648 | append_end = buf + append_end_offset; |
| 647 | } | 649 | } |
| 648 | } | 650 | } |
| 649 | else | 651 | else |