• Paul Eggert's avatar
    * xselect.c: Integer and memory overflow issues. · 864d7ce7
    Paul Eggert authored
    (X_LONG_SIZE, X_USHRT_MAX, X_ULONG_MAX): New macros.
    Use them to make the following changes clearer.
    (MAX_SELECTION_QUANTUM): Make the other bounds on this value clearer.
    This change doesn't affect the value now, but it may help remind
    future maintainers not to raise the value too much later.
    (SELECTION_QUANTUM): Remove, replacing with ...
    (selection_quantum): ... new function, which avoids overflow.
    All uses changed.
    (struct selection_data.size): Now ptrdiff_t, not int, to avoid
    assumption that selection length fits in 'int'.
    (x_reply_selection_request, x_handle_selection_request)
    (x_get_window_property, receive_incremental_selection)
    (x_get_window_property_as_lisp_data, selection_data_to_lisp_data)
    (lisp_data_to_selection_data, clean_local_selection_data):
    Use ptrdiff_t, not int, to record length of selection.
    (x_reply_selection_request, x_get_window_property)
    (receive_incremental_selection, x_property_data_to_lisp):
    Redo calculations to avoid overflow.
    (x_reply_selection_request): When sending hint, ceiling it at
    X_ULONG_MAX rather than relying on wraparound overflow to send
    (x_get_window_property, receive_incremental_selection)
    (lisp_data_to_selection_data, x_property_data_to_lisp):
    Check for size-calculation overflow.
    (x_get_window_property, receive_incremental_selection)
    (lisp_data_to_selection_data, Fx_register_dnd_atom):
    Don't store size until memory allocation succeeds.
    (x_get_window_property): Plug memory leak on memory exhaustion.
    Don't double-block input; malloc is safe here.  Don't assume 2**34
    - 4 fits in unsigned long.  Add an xassert to check
    XGetWindowProperty overflow.  Be more careful about overflow
    calculations, and distinguish size from memory overflow better.
    (receive_incremental_selection): When tracing, don't assume
    unsigned int is less than INT_MAX.
    (x_selection_data_to_lisp_data): Remove unnecessary (and in theory
    harmful) conversions of unsigned short to int.
    (lisp_data_to_selection_data): Don't assume that integers
    in the range -65535 through -1 fit in an X unsigned short.
    Don't assume that ULONG_MAX == X_ULONG_MAX.  Don't store into
    result parameters unless successful.  Rely on cons_to_unsigned
    to report problems with elements; the old code wasn't right anyway.
    (x_check_property_data): Check for int overflow; we cannot use
    a wider type due to X limits.
    (x_handle_dnd_message): Use unsigned int, to avoid int overflow.
ChangeLog 263 KB