From 67c36fce599fc28e5ae3eca371d034c600265dd2 Mon Sep 17 00:00:00 2001
From: Paul Eggert
Date: Fri, 17 Jun 2011 01:10:34 -0700
Subject: * buffer.c (record_overlay_string): Check for size-calculation
 overflow.

(struct sortstrlist.size, struct sortlist.used): Don't truncate size to int.
---
 src/buffer.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/buffer.c')

diff --git a/src/buffer.c b/src/buffer.c
index 90a10ec2a34..93f739c0d4b 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2933,8 +2933,8 @@ struct sortstr
 struct sortstrlist
 {
   struct sortstr *buf;	/* An array that expands as needed; never freed.  */
-  int size;		/* Allocated length of that array.  */
-  int used;		/* How much of the array is currently in use.  */
+  ptrdiff_t size;	/* Allocated length of that array.  */
+  ptrdiff_t used;	/* How much of the array is currently in use.  */
   EMACS_INT bytes;		/* Total length of the strings in buf.  */
 };
 
@@ -2969,7 +2969,10 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
 
   if (ssl->used == ssl->size)
     {
-      if (ssl->buf)
+      if (min (PTRDIFF_MAX, SIZE_MAX) / (sizeof (struct sortstr) * 2)
+	  < ssl->size)
+	memory_full (SIZE_MAX);
+      else if (0 < ssl->size)
 	ssl->size *= 2;
       else
 	ssl->size = 5;
-- 
cgit v1.2.1