Rework Fformat to avoid integer overflow issues.
* editfns.c: Include <float.h> unconditionally, as it's everywhere now (part of C89). Include <verify.h>. (MAX_10_EXP, CONVERTED_BYTE_SIZE): Remove; no longer needed. (pWIDE, pWIDElen, signed_wide, unsigned_wide): New defns. (Fformat): Avoid the prepass trying to compute sizes; it was only approximate and thus did not catch overflow reliably. Instead, walk through the format just once, formatting and computing sizes as we go, checking for integer overflow at every step, and allocating a larger buffer as needed. Keep track separately whether the format is multibyte. Keep only the most-recently calculated precision, rather than them all. Record whether each argument has been converted to string. Use EMACS_INT, not int, for byte and char and arg counts. Support field widths and precisions larger than INT_MAX. Avoid sprintf's undefined behavior with conversion specifications such as %#d and %.0c. Fix bug with strchr succeeding on '\0' when looking for flags. Fix bug with (format "%c" 256.0). Avoid integer overflow when formatting out-of-range floating point numbers with int formats. (Bug#8668)
Showing with 548 additions and 383 deletions