Commit b7b603a0 authored by Paul Eggert's avatar Paul Eggert
Browse files

* xfaces.c: Integer and memory overflow fixes.

(Finternal_make_lisp_face): Use ptrdiff_t, not int, for sizes.
Check for size calculation overflow.
(cache_face): Do not overflow in size calculation.
parent a5a5cbd4
2011-07-29 Paul Eggert <eggert@cs.ucla.edu>
* xfaces.c: Integer and memory overflow fixes.
(Finternal_make_lisp_face): Use ptrdiff_t, not int, for sizes.
Check for size calculation overflow.
(cache_face): Do not overflow in size calculation.
* xdisp.c: Integer and memory overflow fixes.
(store_mode_line_noprop_char, x_consider_frame_title):
Use ptrdiff_t, not int, for sizes.
......
......@@ -2667,8 +2667,13 @@ Value is a vector of face attributes. */)
property `face' of the Lisp face name. */
if (next_lface_id == lface_id_to_name_size)
{
int new_size = max (50, 2 * lface_id_to_name_size);
int sz = new_size * sizeof *lface_id_to_name;
ptrdiff_t new_size, sz;
if (min (min (PTRDIFF_MAX, SIZE_MAX) / 2 / sizeof *lface_id_to_name,
MOST_POSITIVE_FIXNUM)
< lface_id_to_name_size)
memory_full (SIZE_MAX);
new_size = max (50, 2 * lface_id_to_name_size);
sz = new_size * sizeof *lface_id_to_name;
lface_id_to_name = (Lisp_Object *) xrealloc (lface_id_to_name, sz);
lface_id_to_name_size = new_size;
}
......@@ -4411,7 +4416,10 @@ cache_face (struct face_cache *c, struct face *face, unsigned int hash)
if (c->used == c->size)
{
int new_size, sz;
new_size = min (2 * c->size, MAX_FACE_ID);
new_size =
min (2 * c->size,
min (MAX_FACE_ID,
min (PTRDIFF_MAX, SIZE_MAX) / sizeof *c->faces_by_id));
if (new_size == c->size)
abort (); /* Alternatives? ++kfs */
sz = new_size * sizeof *c->faces_by_id;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment