Commit 20270765 authored by Paul Eggert's avatar Paul Eggert

* lread.c (read1): Check for size overflow.

parent 437b2cb4
......@@ -13,6 +13,7 @@
(substitute_object_recurse, read_vector, read_list, map_obarray):
Use ptrdiff_t, not int, for sizes.
(read1): Use EMACS_INT, not int, for sizes.
Check for size overflow.
* image.c (cache_image): Check for size arithmetic overflow.
......
......@@ -2869,6 +2869,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
if (end - p < MAX_MULTIBYTE_LENGTH)
{
ptrdiff_t offset = p - read_buffer;
if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
memory_full (SIZE_MAX);
read_buffer = (char *) xrealloc (read_buffer,
read_buffer_size *= 2);
p = read_buffer + offset;
......@@ -3012,6 +3014,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
if (end - p < MAX_MULTIBYTE_LENGTH)
{
ptrdiff_t offset = p - read_buffer;
if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
memory_full (SIZE_MAX);
read_buffer = (char *) xrealloc (read_buffer,
read_buffer_size *= 2);
p = read_buffer + offset;
......@@ -3039,6 +3043,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
if (p == end)
{
ptrdiff_t offset = p - read_buffer;
if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
memory_full (SIZE_MAX);
read_buffer = (char *) xrealloc (read_buffer,
read_buffer_size *= 2);
p = read_buffer + offset;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment