Fix integer overflow in oversize vectors

* src/alloc.c (allocate_vector): Fix integer overflow when allocating very large vectors, by taking large_vector_offset into account. Assume C99.

Fix integer overflow in oversize vectors
* src/alloc.c (allocate_vector): Fix integer overflow when allocating very large vectors, by taking large_vector_offset into account. Assume C99.
a65c0929 · Paul Eggert · 9b099ce5 · a65c0929
Commit a65c0929 authored Dec 08, 2018 by Paul Eggert
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 5 deletions

src/alloc.c src/alloc.c +4 -5

No files found.
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -3388,12 +3388,11 @@ allocate_vectorlike (ptrdiff_t len)
 struct Lisp_Vector *
 allocate_vector (EMACS_INT len)
 {
-  struct Lisp_Vector *v;
-  ptrdiff_t nbytes_max = min (PTRDIFF_MAX, SIZE_MAX);
-
-  if (min ((nbytes_max - header_size) / word_size, MOST_POSITIVE_FIXNUM) < len)
+  ptrdiff_t wordbytes_max = (min (PTRDIFF_MAX, SIZE_MAX)
+			     - header_size - large_vector_offset);
+  if (min (wordbytes_max / word_size, MOST_POSITIVE_FIXNUM) < len)
    memory_full (SIZE_MAX);
-  v = allocate_vectorlike (len);
+  struct Lisp_Vector *v = allocate_vectorlike (len);
  if (len)
    v->header.size = len;
  return v;