Commit bfbbd7e7 authored by Paul Eggert's avatar Paul Eggert

* lread.c: Integer overflow issues.

(saved_doc_string_size, saved_doc_string_length)
(prev_saved_doc_string_size, prev_saved_doc_string_length):
Now ptrdiff_t, not int.
(read1): Don't assume doc string length fits in int.  Check for
out-of-range doc string lengths.
(read_list): Don't assume file position fits in int.
parent 297dde5a
2011-06-22 Paul Eggert <eggert@cs.ucla.edu>
* lread.c: Integer overflow issues.
(saved_doc_string_size, saved_doc_string_length)
(prev_saved_doc_string_size, prev_saved_doc_string_length):
Now ptrdiff_t, not int.
(read1): Don't assume doc string length fits in int. Check for
out-of-range doc string lengths.
(read_list): Don't assume file position fits in int.
Fixes for GLYPH_DEBUG found by GCC 4.6.0 static checking.
The following patches are for when GLYPH_DEBUG && !XASSERT.
* dispextern.h (trace_redisplay_p, dump_glyph_string):
......
......@@ -120,9 +120,9 @@ static EMACS_INT readchar_count;
/* This contains the last string skipped with #@. */
static char *saved_doc_string;
/* Length of buffer allocated in saved_doc_string. */
static int saved_doc_string_size;
static ptrdiff_t saved_doc_string_size;
/* Length of actual data in saved_doc_string. */
static int saved_doc_string_length;
static ptrdiff_t saved_doc_string_length;
/* This is the file position that string came from. */
static file_offset saved_doc_string_position;
......@@ -131,9 +131,9 @@ static file_offset saved_doc_string_position;
is put in saved_doc_string. */
static char *prev_saved_doc_string;
/* Length of buffer allocated in prev_saved_doc_string. */
static int prev_saved_doc_string_size;
static ptrdiff_t prev_saved_doc_string_size;
/* Length of actual data in prev_saved_doc_string. */
static int prev_saved_doc_string_length;
static ptrdiff_t prev_saved_doc_string_length;
/* This is the file position that string came from. */
static file_offset prev_saved_doc_string_position;
......@@ -2569,13 +2569,16 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
and function definitions. */
if (c == '@')
{
int i, nskip = 0;
enum { extra = 100 };
ptrdiff_t i, nskip = 0;
load_each_byte = 1;
/* Read a decimal integer. */
while ((c = READCHAR) >= 0
&& c >= '0' && c <= '9')
{
if ((STRING_BYTES_BOUND - extra) / 10 <= nskip)
string_overflow ();
nskip *= 10;
nskip += c - '0';
}
......@@ -2594,9 +2597,9 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
with prev_saved_doc_string, so we save two strings. */
{
char *temp = saved_doc_string;
int temp_size = saved_doc_string_size;
ptrdiff_t temp_size = saved_doc_string_size;
file_offset temp_pos = saved_doc_string_position;
int temp_len = saved_doc_string_length;
ptrdiff_t temp_len = saved_doc_string_length;
saved_doc_string = prev_saved_doc_string;
saved_doc_string_size = prev_saved_doc_string_size;
......@@ -2611,12 +2614,12 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
if (saved_doc_string_size == 0)
{
saved_doc_string_size = nskip + 100;
saved_doc_string_size = nskip + extra;
saved_doc_string = (char *) xmalloc (saved_doc_string_size);
}
if (nskip > saved_doc_string_size)
{
saved_doc_string_size = nskip + 100;
saved_doc_string_size = nskip + extra;
saved_doc_string = (char *) xrealloc (saved_doc_string,
saved_doc_string_size);
}
......@@ -3528,7 +3531,7 @@ read_list (int flag, register Lisp_Object readcharfun)
doc string, caller must make it
multibyte. */
int pos = XINT (XCDR (val));
EMACS_INT pos = XINT (XCDR (val));
/* Position is negative for user variables. */
if (pos < 0) pos = -pos;
if (pos >= saved_doc_string_position
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment