* lread.c (read1): Check for size overflow.

20270765 · Paul Eggert · 437b2cb4 · 20270765 · 20270765
Commit 20270765 authored Jun 22, 2011 by Paul Eggert
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

src/ChangeLog src/ChangeLog +1 -0

src/lread.c src/lread.c +6 -0

No files found.
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -13,6 +13,7 @@
 	(substitute_object_recurse, read_vector, read_list, map_obarray):
 	Use ptrdiff_t, not int, for sizes.
 	(read1): Use EMACS_INT, not int, for sizes.
+	Check for size overflow.

 	* image.c (cache_image): Check for size arithmetic overflow.


--- a/src/lread.c
+++ b/src/lread.c
@@ -2869,6 +2869,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
 	    if (end - p < MAX_MULTIBYTE_LENGTH)
 	      {
 		ptrdiff_t offset = p - read_buffer;
+		if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
+		  memory_full (SIZE_MAX);
 		read_buffer = (char *) xrealloc (read_buffer,
 						 read_buffer_size *= 2);
 		p = read_buffer + offset;
@@ -3012,6 +3014,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
 	      if (end - p < MAX_MULTIBYTE_LENGTH)
 		{
 		  ptrdiff_t offset = p - read_buffer;
+		  if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
+		    memory_full (SIZE_MAX);
 		  read_buffer = (char *) xrealloc (read_buffer,
 						   read_buffer_size *= 2);
 		  p = read_buffer + offset;
@@ -3039,6 +3043,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
 	  if (p == end)
 	    {
 	      ptrdiff_t offset = p - read_buffer;
+	      if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
+		memory_full (SIZE_MAX);
 	      read_buffer = (char *) xrealloc (read_buffer,
 					       read_buffer_size *= 2);
 	      p = read_buffer + offset;