Skip to content

GitLab

Commit 6e1fc452 authored by Paul Eggert's avatar Paul Eggert
Browse files

* buffer.c: Memory overflow fixes. 

(overlays_at, overlays_in, record_overlay_string, overlay_strings):
Don't update size of array until after memory allocation succeeds,
because xmalloc/xrealloc may not return.
parent bc18e09d
Hide whitespace changes
Inline Side-by-side
Showing with 14 additions and 12 deletions
src/ChangeLog
View file @ 6e1fc452
2011-07-28 Paul Eggert <eggert@cs.ucla.edu>
* buffer.c: Memory overflow fixes.
(overlays_at, overlays_in, record_overlay_string, overlay_strings):
Don't update size of array until after memory allocation succeeds,
because xmalloc/xrealloc may not return.
* bidi.c: Integer overflow fix.
(bidi_shelve_header_size): New constant.
(bidi_cache_ensure_space, bidi_shelve_cache): Use it.
......
src/buffer.c
View file @ 6e1fc452
......@@ -2572,9 +2572,9 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
memory_full (SIZE_MAX);
/* Make it work with an initial len == 0. */
len = len * 2 + 4;
*len_ptr = len;
vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
*vec_ptr = vec;
*len_ptr = len;
}
else
inhibit_storing = 1;
......@@ -2615,9 +2615,9 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
memory_full (SIZE_MAX);
/* Make it work with an initial len == 0. */
len = len * 2 + 4;
*len_ptr = len;
vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
*vec_ptr = vec;
*len_ptr = len;
}
else
inhibit_storing = 1;
......@@ -2712,9 +2712,9 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
memory_full (SIZE_MAX);
/* Make it work with an initial len == 0. */
len = len * 2 + 4;
*len_ptr = len;
vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
*vec_ptr = vec;
*len_ptr = len;
}
else
inhibit_storing = 1;
......@@ -2760,9 +2760,9 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
memory_full (SIZE_MAX);
/* Make it work with an initial len == 0. */
len = len * 2 + 4;
*len_ptr = len;
vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
*vec_ptr = vec;
*len_ptr = len;
}
else
inhibit_storing = 1;
......@@ -2978,15 +2978,12 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
if (ssl->used == ssl->size)
{
if (min (PTRDIFF_MAX, SIZE_MAX) / (sizeof (struct sortstr) * 2)
< ssl->size)
ptrdiff_t ssl_size = 0 < ssl->size ? ssl->size * 2 : 5;
if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (struct sortstr) < ssl_size)
memory_full (SIZE_MAX);
else if (0 < ssl->size)
ssl->size *= 2;
else
ssl->size = 5;
ssl->buf = ((struct sortstr *)
xrealloc (ssl->buf, ssl->size * sizeof (struct sortstr)));
xrealloc (ssl->buf, ssl_size * sizeof (struct sortstr)));
ssl->size = ssl_size;
}
ssl->buf[ssl->used].string = str;
ssl->buf[ssl->used].string2 = str2;
......@@ -3111,9 +3108,9 @@ overlay_strings (EMACS_INT pos, struct window *w, unsigned char **pstr)
if (total > overlay_str_len)
{
overlay_str_len = total;
overlay_str_buf = (unsigned char *)xrealloc (overlay_str_buf,
total);
overlay_str_len = total;
}
p = overlay_str_buf;
for (i = overlay_tails.used; --i >= 0;)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment