Commit c678c835 authored by Paul Eggert's avatar Paul Eggert
Browse files

* xfns.c: Integer and memory overflow fixes.

(x_encode_text, x_set_name_internal, Fx_change_window_property):
Use ptrdiff_t, not int, to count sizes, since they can exceed
INT_MAX in size.  Check for size calculation overflow.
parent b7b603a0
2011-07-29 Paul Eggert <eggert@cs.ucla.edu> 2011-07-29 Paul Eggert <eggert@cs.ucla.edu>
* xfns.c: Integer and memory overflow fixes.
(x_encode_text, x_set_name_internal, Fx_change_window_property):
Use ptrdiff_t, not int, to count sizes, since they can exceed
INT_MAX in size. Check for size calculation overflow.
* xfaces.c: Integer and memory overflow fixes. * xfaces.c: Integer and memory overflow fixes.
(Finternal_make_lisp_face): Use ptrdiff_t, not int, for sizes. (Finternal_make_lisp_face): Use ptrdiff_t, not int, for sizes.
Check for size calculation overflow. Check for size calculation overflow.
......
...@@ -1471,7 +1471,8 @@ x_set_scroll_bar_background (struct frame *f, Lisp_Object value, Lisp_Object old ...@@ -1471,7 +1471,8 @@ x_set_scroll_bar_background (struct frame *f, Lisp_Object value, Lisp_Object old
the result should be `COMPOUND_TEXT'. */ the result should be `COMPOUND_TEXT'. */
static unsigned char * static unsigned char *
x_encode_text (Lisp_Object string, Lisp_Object coding_system, int selectionp, int *text_bytes, int *stringp, int *freep) x_encode_text (Lisp_Object string, Lisp_Object coding_system, int selectionp,
ptrdiff_t *text_bytes, int *stringp, int *freep)
{ {
int result = string_xstring_p (string); int result = string_xstring_p (string);
struct coding_system coding; struct coding_system coding;
...@@ -1489,6 +1490,8 @@ x_encode_text (Lisp_Object string, Lisp_Object coding_system, int selectionp, in ...@@ -1489,6 +1490,8 @@ x_encode_text (Lisp_Object string, Lisp_Object coding_system, int selectionp, in
coding.mode |= (CODING_MODE_SAFE_ENCODING | CODING_MODE_LAST_BLOCK); coding.mode |= (CODING_MODE_SAFE_ENCODING | CODING_MODE_LAST_BLOCK);
/* We suppress producing escape sequences for composition. */ /* We suppress producing escape sequences for composition. */
coding.common_flags &= ~CODING_ANNOTATION_MASK; coding.common_flags &= ~CODING_ANNOTATION_MASK;
if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < SCHARS (string))
memory_full (SIZE_MAX);
coding.dst_bytes = SCHARS (string) * 2; coding.dst_bytes = SCHARS (string) * 2;
coding.destination = (unsigned char *) xmalloc (coding.dst_bytes); coding.destination = (unsigned char *) xmalloc (coding.dst_bytes);
encode_coding_object (&coding, string, 0, 0, encode_coding_object (&coding, string, 0, 0,
...@@ -1512,7 +1515,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name) ...@@ -1512,7 +1515,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name)
BLOCK_INPUT; BLOCK_INPUT;
{ {
XTextProperty text, icon; XTextProperty text, icon;
int bytes, stringp; ptrdiff_t bytes;
int stringp;
int do_free_icon_value = 0, do_free_text_value = 0; int do_free_icon_value = 0, do_free_text_value = 0;
Lisp_Object coding_system; Lisp_Object coding_system;
Lisp_Object encoded_name; Lisp_Object encoded_name;
...@@ -1551,6 +1555,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name) ...@@ -1551,6 +1555,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name)
: FRAME_X_DISPLAY_INFO (f)->Xatom_COMPOUND_TEXT); : FRAME_X_DISPLAY_INFO (f)->Xatom_COMPOUND_TEXT);
text.format = 8; text.format = 8;
text.nitems = bytes; text.nitems = bytes;
if (text.nitems != bytes)
error ("Window name too large");
if (!STRINGP (f->icon_name)) if (!STRINGP (f->icon_name))
{ {
...@@ -1566,6 +1572,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name) ...@@ -1566,6 +1572,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name)
: FRAME_X_DISPLAY_INFO (f)->Xatom_COMPOUND_TEXT); : FRAME_X_DISPLAY_INFO (f)->Xatom_COMPOUND_TEXT);
icon.format = 8; icon.format = 8;
icon.nitems = bytes; icon.nitems = bytes;
if (icon.nitems != bytes)
error ("Icon name too large");
encoded_icon_name = ENCODE_UTF_8 (f->icon_name); encoded_icon_name = ENCODE_UTF_8 (f->icon_name);
} }
...@@ -4194,21 +4202,21 @@ FRAME. Default is to change on the edit X window. */) ...@@ -4194,21 +4202,21 @@ FRAME. Default is to change on the edit X window. */)
if (CONSP (value)) if (CONSP (value))
{ {
ptrdiff_t elsize;
nelements = x_check_property_data (value); nelements = x_check_property_data (value);
if (nelements == -1) if (nelements == -1)
error ("Bad data in VALUE, must be number, string or cons"); error ("Bad data in VALUE, must be number, string or cons");
if (element_format == 8) /* The man page for XChangeProperty:
data = (unsigned char *) xmalloc (nelements); "If the specified format is 32, the property data must be a
else if (element_format == 16) long array."
data = (unsigned char *) xmalloc (nelements*2); This applies even if long is more than 32 bits. The X library
else /* format == 32 */ converts to 32 bits before sending to the X server. */
/* The man page for XChangeProperty: elsize = element_format == 32 ? sizeof (long) : element_format >> 3;
"If the specified format is 32, the property data must be a if (min (PTRDIFF_MAX, SIZE_MAX) / elsize < nelements)
long array." memory_full (SIZE_MAX);
This applies even if long is more than 64 bits. The X library data = (unsigned char *) xmalloc (nelements * elsize);
converts to 32 bits before sending to the X server. */
data = (unsigned char *) xmalloc (nelements * sizeof(long));
x_fill_property_data (FRAME_X_DISPLAY (f), value, data, element_format); x_fill_property_data (FRAME_X_DISPLAY (f), value, data, element_format);
} }
...@@ -4216,7 +4224,9 @@ FRAME. Default is to change on the edit X window. */) ...@@ -4216,7 +4224,9 @@ FRAME. Default is to change on the edit X window. */)
{ {
CHECK_STRING (value); CHECK_STRING (value);
data = SDATA (value); data = SDATA (value);
nelements = SCHARS (value); if (INT_MAX < SBYTES (value))
error ("VALUE too long");
nelements = SBYTES (value);
} }
BLOCK_INPUT; BLOCK_INPUT;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment