From 6089c5670b18a02fc2caca3e665d2bb7799dc4c8 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 4 Jul 2011 20:09:36 -0700 Subject: * lisp.h (struct vectorlike_header, struct Lisp_Subr): Signed sizes. Use EMACS_INT, not EMACS_UINT, for sizes. The code works equally well either way, and we prefer signed to unsigned. --- src/ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 9ad7da46ecf..e4702b4316b 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,9 @@ 2011-07-05 Paul Eggert + * lisp.h (struct vectorlike_header, struct Lisp_Subr): Signed sizes. + Use EMACS_INT, not EMACS_UINT, for sizes. The code works equally + well either way, and we prefer signed to unsigned. + Random fixes. E.g., (random) never returned negative values. * fns.c (Frandom): Use GET_EMACS_TIME for random seed, and add the subseconds part to the entropy, as that's a bit more random. -- cgit v1.2.1 From 9cfdb3ec08672f13088ebd133bbc794c04a66b05 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 4 Jul 2011 22:27:49 -0700 Subject: [ChangeLog] Assume support for memcmp, memcpy, memmove, memset. This simplifies the code a bit. All current platforms have these, as they are required for C89. If this turns into a problem we can add the gnulib modules for these (a 1-line change to Makefile.in). * configure.in: Don't check for memcmp, memcpy, memmove, memset. [lib-src/ChangeLog] Assume support for memcmp, memcpy, memmove, memset. * etags.c (absolute_filename): Assume memmove exists. [src/ChangeLog] Assume support for memcmp, memcpy, memmove, memset. * lisp.h, sysdep.c (memcmp, memcpy, memmove, memset): * regex.c (memcmp, memcpy): Remove; we assume C89 now. * gmalloc.c (memcpy, memset, memmove): Remove; we assume C89 now. (__malloc_safe_bcopy): Remove; no longer needed. --- src/ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index e4702b4316b..22d70bf54eb 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,13 @@ 2011-07-05 Paul Eggert + Assume support for memcmp, memcpy, memmove, memset. + * lisp.h, sysdep.c (memcmp, memcpy, memmove, memset): + * regex.c (memcmp, memcpy): + Remove; we assume C89 now. + + * gmalloc.c (memcpy, memset, memmove): Remove; we assume C89 now. + (__malloc_safe_bcopy): Remove; no longer needed. + * lisp.h (struct vectorlike_header, struct Lisp_Subr): Signed sizes. Use EMACS_INT, not EMACS_UINT, for sizes. The code works equally well either way, and we prefer signed to unsigned. -- cgit v1.2.1 From 0e926e561c259468174b16407dd7271c2c8fe904 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 6 Jul 2011 18:32:56 -0700 Subject: Assume freestanding C89 headers, string.h, stdlib.h. --- src/ChangeLog | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index b0fb0f213ab..d91837877e1 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,17 @@ +2011-07-07 Paul Eggert + + Assume freestanding C89 headers, string.h, stdlib.h. + * data.c, doprnt.c, floatfns.c, print.c: + Include float.h unconditionally. + * gmalloc.c: Assume C89-at-least behavior for preprocessor, + limits.h, stddef.h, string.h. Use memset instead of 'flood'. + * regex.c: Likewise for stddef.h, string.h. + (ISASCII): Remove; can assume it returns 1 now. All uses removed. + * s/aix4-2.h (HAVE_STRING_H): Remove obsolete undef. + * s/ms-w32.h (HAVE_LIMITS_H, HAVE_STRING_H, HAVE_STDLIB_H) + (STDC_HEADERS): Remove obsolete defines. + * sysdep.c: Include limits.h unconditionally. + 2011-07-06 Paul Eggert Assume support for memcmp, memcpy, memmove, memset. -- cgit v1.2.1 From c2d1e36da89642b8916965a967b000aff7d59099 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 6 Jul 2011 19:14:52 -0700 Subject: * doprnt.c: Prefer signed to unsigned when either works. * eval.c (verror): * doprnt.c (doprnt): * lisp.h (doprnt): * xdisp.c (vmessage): Use ptrdiff_t, not size_t, when using or implementing doprnt, since the sizes cannot exceed ptrdiff_t bounds anyway, and we prefer signed arithmetic to avoid comparison confusion. * doprnt.c (doprnt): Avoid a "+ 1" that can't overflow, but is a bit tricky. --- src/ChangeLog | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index d91837877e1..6e63fdd6333 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,16 @@ 2011-07-07 Paul Eggert + * doprnt.c: Prefer signed to unsigned when either works. + * eval.c (verror): + * doprnt.c (doprnt): + * lisp.h (doprnt): + * xdisp.c (vmessage): + Use ptrdiff_t, not size_t, when using or implementing doprnt, + since the sizes cannot exceed ptrdiff_t bounds anyway, and we + prefer signed arithmetic to avoid comparison confusion. + * doprnt.c (doprnt): Avoid a "+ 1" that can't overflow, + but is a bit tricky. + Assume freestanding C89 headers, string.h, stdlib.h. * data.c, doprnt.c, floatfns.c, print.c: Include float.h unconditionally. -- cgit v1.2.1 From ac82cc6ad7793d477015227629070cf87c6225b0 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 6 Jul 2011 19:24:56 -0700 Subject: * xselect.c: Integer signedness and overflow fixes. (Fx_register_dnd_atom, x_handle_dnd_message): Use ptrdiff_t, not size_t, since we prefer signed. (Fx_register_dnd_atom): Check for ptrdiff_t (and size_t) overflow. * xterm.h (struct x_display_info): Use ptrdiff_t, not size_t, for x_dnd_atoms_size and x_dnd_atoms_length. --- src/ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 6e63fdd6333..43d449b459b 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,12 @@ 2011-07-07 Paul Eggert + * xselect.c: Integer signedness and overflow fixes. + (Fx_register_dnd_atom, x_handle_dnd_message): + Use ptrdiff_t, not size_t, since we prefer signed. + (Fx_register_dnd_atom): Check for ptrdiff_t (and size_t) overflow. + * xterm.h (struct x_display_info): Use ptrdiff_t, not size_t, for + x_dnd_atoms_size and x_dnd_atoms_length. + * doprnt.c: Prefer signed to unsigned when either works. * eval.c (verror): * doprnt.c (doprnt): -- cgit v1.2.1 From 903fe15d9deb28a72075c39dfd6003a2ff1af134 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 7 Jul 2011 09:58:24 -0700 Subject: * alloc.c: Integer signedness and overflow fixes. Do not impose an arbitrary 32-bit limit on malloc sizes when debugging. (__malloc_size_t): Default to size_t, not to int. (pure_size, pure_bytes_used_before_overflow, stack_copy_size) (Fgarbage_collect, mark_object_loop_halt, mark_object): Prefer ptrdiff_t to size_t when either would do, as we prefer signed integers. (XMALLOC_OVERRUN_CHECK_OVERHEAD): New macro. (xmalloc_overrun_check_header, xmalloc_overrun_check_trailer): Now const. Initialize with values that are in range even if char is signed. (XMALLOC_PUT_SIZE, XMALLOC_GET_SIZE): Remove, replacing with ... (xmalloc_put_size, xmalloc_get_size): New functions. All uses changed. These functions do the right thing with sizes > 2**32. (check_depth): Now ptrdiff_t, not int. (overrun_check_malloc, overrun_check_realloc, overrun_check_free): Adjust to new way of storing sizes. Check for size overflow bugs in rest of code. (STRING_BYTES_MAX): Adjust to new overheads. The old code was slightly wrong anyway, as it missed one instance of XMALLOC_OVERRUN_CHECK_OVERHEAD. (refill_memory_reserve): Omit needless cast to size_t. (mark_object_loop_halt): Mark as externally visible. --- src/ChangeLog | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 43d449b459b..f2c318fa84a 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,29 @@ 2011-07-07 Paul Eggert + * alloc.c: Integer signedness and overflow fixes. + Do not impose an arbitrary 32-bit limit on malloc sizes when debugging. + (__malloc_size_t): Default to size_t, not to int. + (pure_size, pure_bytes_used_before_overflow, stack_copy_size) + (Fgarbage_collect, mark_object_loop_halt, mark_object): + Prefer ptrdiff_t to size_t when either would do, as we prefer + signed integers. + (XMALLOC_OVERRUN_CHECK_OVERHEAD): New macro. + (xmalloc_overrun_check_header, xmalloc_overrun_check_trailer): + Now const. Initialize with values that are in range even if char + is signed. + (XMALLOC_PUT_SIZE, XMALLOC_GET_SIZE): Remove, replacing with ... + (xmalloc_put_size, xmalloc_get_size): New functions. All uses changed. + These functions do the right thing with sizes > 2**32. + (check_depth): Now ptrdiff_t, not int. + (overrun_check_malloc, overrun_check_realloc, overrun_check_free): + Adjust to new way of storing sizes. Check for size overflow bugs + in rest of code. + (STRING_BYTES_MAX): Adjust to new overheads. The old code was + slightly wrong anyway, as it missed one instance of + XMALLOC_OVERRUN_CHECK_OVERHEAD. + (refill_memory_reserve): Omit needless cast to size_t. + (mark_object_loop_halt): Mark as externally visible. + * xselect.c: Integer signedness and overflow fixes. (Fx_register_dnd_atom, x_handle_dnd_message): Use ptrdiff_t, not size_t, since we prefer signed. -- cgit v1.2.1 From 5b8ffbdddd1280515a254c360f67626f0c9ab3c8 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 7 Jul 2011 10:42:28 -0700 Subject: * bidi.c: Integer signedness and overflow fixes. (bidi_cache_idx, bidi_cache_last_idx, bidi_cache_fetch_state) (bidi_cache_search, bidi_cache_find_level_change) (bidi_cache_iterator_state, bidi_cache_find, bidi_find_other_level_edge) (bidi_dump_cached_states): Don't arbitrarily limit cache indexes to int; use ptrdiff_t instead. (bidi_cache_size): Use ptrdiff_t rather than size_t, as we prefer signed integers. (elsz): Make it a (signed) constant. (bidi_cache_iterator_state): Check for size-calculation overflow. --- src/ChangeLog | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index f2c318fa84a..a6cafedb36c 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,16 @@ 2011-07-07 Paul Eggert + * bidi.c: Integer signedness and overflow fixes. + (bidi_cache_idx, bidi_cache_last_idx, bidi_cache_fetch_state) + (bidi_cache_search, bidi_cache_find_level_change) + (bidi_cache_iterator_state, bidi_cache_find, bidi_find_other_level_edge) + (bidi_dump_cached_states): + Don't arbitrarily limit cache indexes to int; use ptrdiff_t instead. + (bidi_cache_size): Use ptrdiff_t rather than size_t, as we prefer + signed integers. + (elsz): Make it a (signed) constant. + (bidi_cache_iterator_state): Check for size-calculation overflow. + * alloc.c: Integer signedness and overflow fixes. Do not impose an arbitrary 32-bit limit on malloc sizes when debugging. (__malloc_size_t): Default to size_t, not to int. -- cgit v1.2.1 From fd05c7e9aae3cc636a7e13487dc50010084adae8 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 7 Jul 2011 10:51:05 -0700 Subject: * buffer.c: Integer signedness fixes. (alloc_buffer_text, enlarge_buffer_text): Use ptrdiff_t rather than size_t when either will do, as we prefer signed integers. --- src/ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index a6cafedb36c..6d8ee7d5306 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,10 @@ 2011-07-07 Paul Eggert + * buffer.c: Integer signedness fixes. + (alloc_buffer_text, enlarge_buffer_text): + Use ptrdiff_t rather than size_t when either will do, as we prefer + signed integers. + * bidi.c: Integer signedness and overflow fixes. (bidi_cache_idx, bidi_cache_last_idx, bidi_cache_fetch_state) (bidi_cache_search, bidi_cache_find_level_change) -- cgit v1.2.1 From 3300e6fd43c4059de955cddc37ec4212dab2b085 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 7 Jul 2011 10:55:38 -0700 Subject: * keyboard.h (num_input_events): Now uintmax_t. This is (very slightly) less likely to mess up due to wraparound. All uses changed. --- src/ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 6d8ee7d5306..8d8e8789811 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,9 @@ 2011-07-07 Paul Eggert + * keyboard.h (num_input_events): Now uintmax_t. + This is (very slightly) less likely to mess up due to wraparound. + All uses changed. + * buffer.c: Integer signedness fixes. (alloc_buffer_text, enlarge_buffer_text): Use ptrdiff_t rather than size_t when either will do, as we prefer -- cgit v1.2.1 From a81d11a3efb4d511c5c34c8983dc6aab5d619ea1 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 7 Jul 2011 14:52:44 -0700 Subject: * editfns.c (pWIDE, pWIDElen, signed_wide, unsigned_wide): Remove, replacing with the new symbols in lisp.h. All uses changed. * fileio.c (make_temp_name): * filelock.c (lock_file_1, lock_file): * xdisp.c (message_dolog): Don't assume PRIdMAX etc. works; this isn't portable to pre-C99 hosts. Use pMd etc. instead. * lisp.h (printmax_t, uprintmax_t, pMd, pMu): New types and macros, replacing the pWIDE etc. symbols removed from editfns.c. --- src/ChangeLog | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 8d8e8789811..62bf5712621 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,15 @@ 2011-07-07 Paul Eggert + * editfns.c (pWIDE, pWIDElen, signed_wide, unsigned_wide): + Remove, replacing with the new symbols in lisp.h. All uses changed. + * fileio.c (make_temp_name): + * filelock.c (lock_file_1, lock_file): + * xdisp.c (message_dolog): + Don't assume PRIdMAX etc. works; this isn't portable to pre-C99 hosts. + Use pMd etc. instead. + * lisp.h (printmax_t, uprintmax_t, pMd, pMu): New types and macros, + replacing the pWIDE etc. symbols removed from editfns.c. + * keyboard.h (num_input_events): Now uintmax_t. This is (very slightly) less likely to mess up due to wraparound. All uses changed. -- cgit v1.2.1 From dfd153ae803962a5eaffe8a65e77f749c0574edf Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 7 Jul 2011 15:14:22 -0700 Subject: * dispnew.c: Integer signedness and overflow fixes. Remove unnecessary forward decls, that were a maintenance hassle. (history_tick): Now uprintmax_t, so it's more likely to avoid overflow. All uses changed. (adjust_glyph_matrix, realloc_glyph_pool, adjust_frame_message_buffer) (scrolling_window): Use ptrdiff_t, not int, for byte count. (prepare_desired_row, line_draw_cost): Use int, not unsigned, where either works. (save_current_matrix, restore_current_matrix): Use ptrdiff_t, not size_t, where either works. (init_display): Check for overflow more accurately, and without relying on undefined behavior. --- src/ChangeLog | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 62bf5712621..e2cf24fc173 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,18 @@ 2011-07-07 Paul Eggert + * dispnew.c: Integer signedness and overflow fixes. + Remove unnecessary forward decls, that were a maintenance hassle. + (history_tick): Now uprintmax_t, so it's more likely to avoid overflow. + All uses changed. + (adjust_glyph_matrix, realloc_glyph_pool, adjust_frame_message_buffer) + (scrolling_window): Use ptrdiff_t, not int, for byte count. + (prepare_desired_row, line_draw_cost): + Use int, not unsigned, where either works. + (save_current_matrix, restore_current_matrix): + Use ptrdiff_t, not size_t, where either works. + (init_display): Check for overflow more accurately, and without + relying on undefined behavior. + * editfns.c (pWIDE, pWIDElen, signed_wide, unsigned_wide): Remove, replacing with the new symbols in lisp.h. All uses changed. * fileio.c (make_temp_name): -- cgit v1.2.1 From b312a4929d4ed7bc900a54f506905801f860ce7c Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 7 Jul 2011 15:45:25 -0700 Subject: * emacs.c: Integer overflow minor fix. (heap_bss_diff): Now uprintmax_t, not unsigned long. All used changed. Define only if GNU_LINUX. (main, Fdump_emacs): Set and use heap_bss_diff only if GNU_LINUX. --- src/ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index e2cf24fc173..0265828c60e 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,10 @@ 2011-07-07 Paul Eggert + * emacs.c: Integer overflow minor fix. + (heap_bss_diff): Now uprintmax_t, not unsigned long. All used changed. + Define only if GNU_LINUX. + (main, Fdump_emacs): Set and use heap_bss_diff only if GNU_LINUX. + * dispnew.c: Integer signedness and overflow fixes. Remove unnecessary forward decls, that were a maintenance hassle. (history_tick): Now uprintmax_t, so it's more likely to avoid overflow. -- cgit v1.2.1 From 3cc5a5328c43317b12a7163c4e1c0a56d85b93ce Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 7 Jul 2011 17:51:25 -0700 Subject: Improve hashing quality when configured --with-wide-int. * fns.c (hash_string): New function, taken from sxhash_string. Do not discard information about ASCII character case; this discarding is no longer needed. (sxhash-string): Use it. Change sig to match it. Caller changed. * lisp.h: Declare it. * lread.c (hash_string): Remove, since we now use fns.c's version. The fns.c version returns a wider integer if --with-wide-int is specified, so this should help the quality of the hashing a bit. --- src/ChangeLog | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 0265828c60e..aaf87deb9a5 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,15 @@ +2011-07-08 Paul Eggert + + Improve hashing quality when configured --with-wide-int. + * fns.c (hash_string): New function, taken from sxhash_string. + Do not discard information about ASCII character case; this + discarding is no longer needed. + (sxhash-string): Use it. Change sig to match it. Caller changed. + * lisp.h: Declare it. + * lread.c (hash_string): Remove, since we now use fns.c's version. + The fns.c version returns a wider integer if --with-wide-int is + specified, so this should help the quality of the hashing a bit. + 2011-07-07 Paul Eggert * emacs.c: Integer overflow minor fix. -- cgit v1.2.1 From 3f791afed9cd1002b909cefd3482763b2a310608 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Sat, 9 Jul 2011 00:01:24 -0700 Subject: * image.c: Integer signedness and overflow and related fixes. This is not an exhaustive set of fixes, but it's time to record what I've got. (lookup_pixel_color, check_image_size): Remove redundant decls. (check_image_size): Don't assume that arbitrary EMACS_INT values fit in 'int', or that arbitrary 'double' values fit in 'int'. (x_alloc_image_color, x_create_x_image_and_pixmap, png_load) (tiff_load, imagemagick_load_image): Check for overflow in size calculations. (x_create_x_image_and_pixmap): Remove unnecessary test for xmalloc returning NULL; that can't happen. (xbm_read_bitmap_data): Don't assume sizes fit into 'int'. (xpm_color_bucket): Use better integer hashing function. (xpm_cache_color): Don't possibly over-allocate memory. (struct png_memory_storage, tiff_memory_source, tiff_seek_in_memory) (gif_memory_source): Use ptrdiff_t, not int or size_t, to record sizes. (png_load): Don't assume values greater than 2**31 fit in 'int'. (our_stdio_fill_input_buffer): Prefer ptrdiff_t to size_t when either works, as we prefer signed integers. (tiff_read_from_memory, tiff_write_from_memory): Return tsize_t, not size_t, since that's what the TIFF API wants. (tiff_read_from_memory): Don't fail simply because the read would go past EOF; instead, return a short read. (tiff_load): Omit no-longer-needed casts. (Fimagemagick_types): Don't assume size fits into 'int'. --- src/ChangeLog | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index aaf87deb9a5..d7ee434378c 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,32 @@ +2011-07-09 Paul Eggert + + * image.c: Integer signedness and overflow and related fixes. + This is not an exhaustive set of fixes, but it's time to + record what I've got. + (lookup_pixel_color, check_image_size): Remove redundant decls. + (check_image_size): Don't assume that arbitrary EMACS_INT values + fit in 'int', or that arbitrary 'double' values fit in 'int'. + (x_alloc_image_color, x_create_x_image_and_pixmap, png_load) + (tiff_load, imagemagick_load_image): + Check for overflow in size calculations. + (x_create_x_image_and_pixmap): Remove unnecessary test for + xmalloc returning NULL; that can't happen. + (xbm_read_bitmap_data): Don't assume sizes fit into 'int'. + (xpm_color_bucket): Use better integer hashing function. + (xpm_cache_color): Don't possibly over-allocate memory. + (struct png_memory_storage, tiff_memory_source, tiff_seek_in_memory) + (gif_memory_source): + Use ptrdiff_t, not int or size_t, to record sizes. + (png_load): Don't assume values greater than 2**31 fit in 'int'. + (our_stdio_fill_input_buffer): Prefer ptrdiff_t to size_t when + either works, as we prefer signed integers. + (tiff_read_from_memory, tiff_write_from_memory): + Return tsize_t, not size_t, since that's what the TIFF API wants. + (tiff_read_from_memory): Don't fail simply because the read would + go past EOF; instead, return a short read. + (tiff_load): Omit no-longer-needed casts. + (Fimagemagick_types): Don't assume size fits into 'int'. + 2011-07-08 Paul Eggert Improve hashing quality when configured --with-wide-int. -- cgit v1.2.1 From e3c25c689524aa85ce37840fff344cc297cf42ec Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 11 Jul 2011 11:36:33 -0700 Subject: * dispnew.c (init_display): Use *_RANGE_OVERFLOW macros. The plain *_OVERFLOW macros run afoul of GCC bug 49705 and therefore cause GCC to emit a bogus diagnostic in some cases. --- src/ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 4e69399154d..c519100b2f0 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,10 @@ 2011-07-11 Paul Eggert + * dispnew.c (init_display): Use *_RANGE_OVERFLOW macros. + The plain *_OVERFLOW macros run afoul of GCC bug 49705 + + and therefore cause GCC to emit a bogus diagnostic in some cases. + * image.c: Integer signedness and overflow and related fixes. This is not an exhaustive set of fixes, but it's time to record what I've got. -- cgit v1.2.1 From c8907a930eb953a30831faa3a7ccae74e4ae2f23 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Tue, 12 Jul 2011 10:34:59 -0700 Subject: * xfaces.c (Fbitmap_spec_p): Fix integer overflow bug. Without this fix, (bitmap-spec-p '(34359738368 1 "x")) would wrongly return t on a 64-bit host. --- src/ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index b0913ab983c..8911b6bdce2 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,9 @@ +2011-07-12 Paul Eggert + + * xfaces.c (Fbitmap_spec_p): Fix integer overflow bug. + Without this fix, (bitmap-spec-p '(34359738368 1 "x")) + would wrongly return t on a 64-bit host. + 2011-07-11 Paul Eggert * dispnew.c (init_display): Use *_RANGE_OVERFLOW macros. -- cgit v1.2.1 From 82d66f4e89f12f5c5eb6e4a4f80745a69da6b710 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Tue, 12 Jul 2011 10:35:56 -0700 Subject: * bidi.c (bidi_dump_cached_states): Use pD to print ptrdiff_t. --- src/ChangeLog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 8911b6bdce2..c9706aa3a37 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,7 @@ 2011-07-12 Paul Eggert + * bidi.c (bidi_dump_cached_states): Use pD to print ptrdiff_t. + * xfaces.c (Fbitmap_spec_p): Fix integer overflow bug. Without this fix, (bitmap-spec-p '(34359738368 1 "x")) would wrongly return t on a 64-bit host. -- cgit v1.2.1 From 5adf60bc2313a220185c9f22d3d539a0dc51b228 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Tue, 12 Jul 2011 20:42:26 -0700 Subject: * image.c (png_load): Don't assume height * row_bytes fits in 'int'. --- src/ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 3862ce46327..9513dfd8e64 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,7 @@ +2011-07-13 Paul Eggert + + * image.c (png_load): Don't assume height * row_bytes fits in 'int'. + 2011-07-12 Paul Eggert * bidi.c (bidi_dump_cached_states): Use pD to print ptrdiff_t. -- cgit v1.2.1 From 5f8f9cc26998b1b74d9ac5c8b68000d53aae31cc Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 13 Jul 2011 08:42:12 -0700 Subject: * gtkutil.c: Omit integer casts. (xg_get_pixbuf_from_pixmap): Remove unnecessary cast. (xg_set_toolkit_scroll_bar_thumb): Rewrite to avoid need for cast. --- src/ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index fd1644c9b98..c986030fcf8 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,9 @@ 2011-07-13 Paul Eggert + * gtkutil.c: Omit integer casts. + (xg_get_pixbuf_from_pixmap): Remove unnecessary cast. + (xg_set_toolkit_scroll_bar_thumb): Rewrite to avoid need for cast. + * image.c (png_load): Don't assume height * row_bytes fits in 'int'. * bidi.c (bidi_dump_cached_states): Use pD to print ptrdiff_t. -- cgit v1.2.1 From ca4aa9359160557f8103639fc3c0ccb16c6ba8d2 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 13 Jul 2011 23:20:53 -0700 Subject: * image.c: Improve checking for integer overflow. (check_image_size): Assume that f is nonnull, since it is always nonnull in practice. This is one less thing to worry about when checking for integer overflow later. (x_check_image_size): New function, which checks for integer overflow issues inside X. (x_create_x_image_and_pixmap, xbm_read_bitmap_data): Use it. This removes the need for a memory_full check. (xbm_image_p): Rewrite to avoid integer multiplication overflow. (Create_Pixmap_From_Bitmap_Data, xbm_load): Use x_check_image_size. (xbm_read_bitmap_data): Change locals back to 'int', since their values must fit in 'int'. (xpm_load_image, png_load, tiff_load): Invoke x_create_x_image_and_pixmap earlier, to avoid much needless work if the image is too large. (tiff_load): Treat overly large images as if x_create_x_image_and_pixmap failed, not as malloc failures. (gs_load): Use x_check_image_size. --- src/ChangeLog | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index c986030fcf8..e07b906b56d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,24 @@ +2011-07-14 Paul Eggert + + * image.c: Improve checking for integer overflow. + (check_image_size): Assume that f is nonnull, since + it is always nonnull in practice. This is one less thing to + worry about when checking for integer overflow later. + (x_check_image_size): New function, which checks for integer + overflow issues inside X. + (x_create_x_image_and_pixmap, xbm_read_bitmap_data): Use it. + This removes the need for a memory_full check. + (xbm_image_p): Rewrite to avoid integer multiplication overflow. + (Create_Pixmap_From_Bitmap_Data, xbm_load): Use x_check_image_size. + (xbm_read_bitmap_data): Change locals back to 'int', since + their values must fit in 'int'. + (xpm_load_image, png_load, tiff_load): + Invoke x_create_x_image_and_pixmap earlier, + to avoid much needless work if the image is too large. + (tiff_load): Treat overly large images as if + x_create_x_image_and_pixmap failed, not as malloc failures. + (gs_load): Use x_check_image_size. + 2011-07-13 Paul Eggert * gtkutil.c: Omit integer casts. -- cgit v1.2.1 From 41f55ccd14109b14de3abd1dc3452f3b465b1883 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 14 Jul 2011 01:05:10 -0700 Subject: Add Bug#. --- src/ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index 2b6fc837b62..d9060ae6365 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,6 +1,6 @@ 2011-07-14 Paul Eggert - Integer signedness and overflow and related fixes. + Integer signedness and overflow and related fixes. (Bug#9079) * image.c: Improve checking for integer overflow. (check_image_size): Assume that f is nonnull, since -- cgit v1.2.1 From 5e927815391bbb3a6e25b9bd65a7c59f1a5216ef Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 14 Jul 2011 09:07:02 -0700 Subject: * alloc.c (__malloc_size_t): Remove. All uses replaced by size_t. See Andreas Schwab's note . --- src/ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index d9060ae6365..f1670d1db06 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -2,6 +2,10 @@ Integer signedness and overflow and related fixes. (Bug#9079) + * alloc.c (__malloc_size_t): Remove. + All uses replaced by size_t. See Andreas Schwab's note + . + * image.c: Improve checking for integer overflow. (check_image_size): Assume that f is nonnull, since it is always nonnull in practice. This is one less thing to -- cgit v1.2.1 From af1d7677299425547ec39d20810890333a9970a7 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 14 Jul 2011 09:20:47 -0700 Subject: * src/bidi.c: Hold off on these changes for now. See . --- src/ChangeLog | 13 ------------- 1 file changed, 13 deletions(-) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index e0de5edda9c..0977b12ab38 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -31,8 +31,6 @@ * image.c (png_load): Don't assume height * row_bytes fits in 'int'. - * bidi.c (bidi_dump_cached_states): Use pD to print ptrdiff_t. - * xfaces.c (Fbitmap_spec_p): Fix integer overflow bug. Without this fix, (bitmap-spec-p '(34359738368 1 "x")) would wrongly return t on a 64-bit host. @@ -116,17 +114,6 @@ Use ptrdiff_t rather than size_t when either will do, as we prefer signed integers. - * bidi.c: Integer signedness and overflow fixes. - (bidi_cache_idx, bidi_cache_last_idx, bidi_cache_fetch_state) - (bidi_cache_search, bidi_cache_find_level_change) - (bidi_cache_iterator_state, bidi_cache_find) - (bidi_find_other_level_edge, bidi_dump_cached_states): - Don't arbitrarily limit cache indexes to int; use ptrdiff_t instead. - (bidi_cache_size): Use ptrdiff_t rather than size_t, as we prefer - signed integers. - (elsz): Make it a (signed) constant. - (bidi_cache_iterator_state): Check for size-calculation overflow. - * alloc.c: Integer signedness and overflow fixes. Do not impose an arbitrary 32-bit limit on malloc sizes when debugging. (__malloc_size_t): Default to size_t, not to int. -- cgit v1.2.1 From 39e378da07fe365c6442dc95b937539eb31fe8ef Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 14 Jul 2011 14:57:00 -0700 Subject: * bidi.c: Integer size and overflow fixes. (bidi_cache_size, bidi_cache_idx, bidi_cache_last_idx) (bidi_cache_start, bidi_cache_fetch_state, bidi_cache_search) (bidi_cache_find_level_change, bidi_cache_ensure_space) (bidi_cache_iterator_state, bidi_cache_find, bidi_cache_start_stack) (bidi_find_other_level_edge): Use ptrdiff_t instead of EMACS_INT where either will do. This works better on 32-bit hosts configured --with-wide-int. (bidi_cache_ensure_space): Check for size-calculation overflow. Use % rather than repeated addition, for better worst-case speed. Don't set bidi_cache_size until after xrealloc returns, because it might not return. (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow. --- src/ChangeLog | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index b683a7f55cd..c19786fb72c 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -2,6 +2,20 @@ Integer signedness and overflow and related fixes. (Bug#9079) + * bidi.c: Integer size and overflow fixes. + (bidi_cache_size, bidi_cache_idx, bidi_cache_last_idx) + (bidi_cache_start, bidi_cache_fetch_state, bidi_cache_search) + (bidi_cache_find_level_change, bidi_cache_ensure_space) + (bidi_cache_iterator_state, bidi_cache_find, bidi_cache_start_stack) + (bidi_find_other_level_edge): + Use ptrdiff_t instead of EMACS_INT where either will do. + This works better on 32-bit hosts configured --with-wide-int. + (bidi_cache_ensure_space): Check for size-calculation overflow. + Use % rather than repeated addition, for better worst-case speed. + Don't set bidi_cache_size until after xrealloc returns, because it + might not return. + (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow. + * alloc.c (__malloc_size_t): Remove. All uses replaced by size_t. See Andreas Schwab's note . -- cgit v1.2.1 From f0eb61e99dce9005dc94c909046f6130b3d4a97c Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 14 Jul 2011 23:44:47 -0700 Subject: * bidi.c (bidi_cache_ensure_space): Also check that the bidi cache size does not exceed that of the largest Lisp string or buffer. See Eli Zaretskii in . --- src/ChangeLog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/ChangeLog') diff --git a/src/ChangeLog b/src/ChangeLog index c19786fb72c..493b3277f52 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -15,6 +15,9 @@ Don't set bidi_cache_size until after xrealloc returns, because it might not return. (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow. + (bidi_cache_ensure_space): Also check that the bidi cache size + does not exceed that of the largest Lisp string or buffer. See Eli + Zaretskii in . * alloc.c (__malloc_size_t): Remove. All uses replaced by size_t. See Andreas Schwab's note -- cgit v1.2.1