GitLab

See, for example <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9196#26>.

(x_color_cells, handle_one_xevent, x_term_init):
Check for size calculation overflow.
(x_color_cells): Don't store size until memory allocation succeeds.
(handle_one_xevent): Use ptrdiff_t, not int, for byte counts.
(x_term_init): Don't assume length fits in int (sprintf is limited
to int size).

(X_LONG_SIZE, X_USHRT_MAX, X_ULONG_MAX): New macros.
Use them to make the following changes clearer.
(MAX_SELECTION_QUANTUM): Make the other bounds on this value clearer.
This change doesn't affect the value now, but it may help remind
future maintainers not to raise the value too much later.
(SELECTION_QUANTUM): Remove, replacing with ...
(selection_quantum): ... new function, which avoids overflow.
All uses changed.
(struct selection_data.size): Now ptrdiff_t, not int, to avoid
assumption that selection length fits in 'int'.
(x_reply_selection_request, x_handle_selection_request)
(x_get_window_property, receive_incremental_selection)
(x_get_window_property_as_lisp_data, selection_data_to_lisp_data)
(lisp_data_to_selection_data, clean_local_selection_data):
Use ptrdiff_t, not int, to record length of selection.
(x_reply_selection_request, x_get_window_property)
(receive_incremental_selection, x_property_data_to_lisp):
Redo calculations to avoid overflow.
(x_reply_selection_request): When sending hint, ceiling it at
X_ULONG_MAX rather than relying on wraparound overflow to send
something.
(x_get_window_property, receive_incremental_selection)
(lisp_data_to_selection_data, x_property_data_to_lisp):
Check for size-calculation overflow.
(x_get_window_property, receive_incremental_selection)
(lisp_data_to_selection_data, Fx_register_dnd_atom):
Don't store size until memory allocation succeeds.
(x_get_window_property): Plug memory leak on memory exhaustion.
Don't double-block input; malloc is safe here.  Don't assume 2**34
- 4 fits in unsigned long.  Add an xassert to check
XGetWindowProperty overflow.  Be more careful about overflow
calculations, and distinguish size from memory overflow better.
(receive_incremental_selection): When tracing, don't assume
unsigned int is less than INT_MAX.
(x_selection_data_to_lisp_data): Remove unnecessary (and in theory
harmful) conversions of unsigned short to int.
(lisp_data_to_selection_data): Don't assume that integers
in the range -65535 through -1 fit in an X unsigned short.
Don't assume that ULONG_MAX == X_ULONG_MAX.  Don't store into
result parameters unless successful.  Rely on cons_to_unsigned
to report problems with elements; the old code wasn't right anyway.
(x_check_property_data): Check for int overflow; we cannot use
a wider type due to X limits.
(x_handle_dnd_message): Use unsigned int, to avoid int overflow.

(magic_file_p): Plug memory leak on size overflow.
(get_environ_db): Don't assume path length fits in int,
as sprintf is limited to int lengths.

Don't update size until alloc done.

(x_encode_text, x_set_name_internal, Fx_change_window_property):
Use ptrdiff_t, not int, to count sizes, since they can exceed
INT_MAX in size.  Check for size calculation overflow.

(Finternal_make_lisp_face): Use ptrdiff_t, not int, for sizes.
Check for size calculation overflow.
(cache_face): Do not overflow in size calculation.

(store_mode_line_noprop_char, x_consider_frame_title):
Use ptrdiff_t, not int, for sizes.
(store_mode_line_noprop_char): Don't update size until alloc done.

(tparam1): Use ptrdiff_t, not int, for sizes.
Don't update size until alloc done.
Redo size calculations to avoid overflow.
Check for size calculation overflow.

(tgetent): Use ptrdiff_t, not int, to record results of
subtracting pointers.
(gobble_line): Check for overflow more carefully.  Don't update size
until alloc done.

(max_frame_lines): Remove; unused.
(encode_terminal_src_size, encode_terminal_dst_size): Now ptrdiff_t,
not int.
(encode_terminal_code, calculate_costs): Check for size
calculation overflow.
(encode_terminal_code): Use ptrdiff_t, not int, to record glyph
table lengths and related sizes.  Don't update size until alloc
done.  Redo calculations to avoid overflow.
(calculate_costs): Don't bother calling xmalloc when xrealloc will do.

(system_process_attributes): Use ptrdiff_t, not int, for command
line length.  Do not attempt to address one before the beginning
of an array, as that's not portable.

(Freplace_match): Check for size calculation overflow.
(Fset_match_data): Don't assume list lengths fit in 'int'.

(do_line_insertion_deletion_costs): Check for size calculation overflow.
Don't bother calling xmalloc when xrealloc will do.

in size calculation.

Now ptrdiff_t, not int.
* nsterm.m (ns_index_color): Use ptrdiff_t, not int, for table indexes.
(ns_draw_fringe_bitmap): Rewrite to avoid overflow.

on memory overflow.

(Fstart_kbd_macro): Don't update size until alloc done.
(store_kbd_macro_char): Reorder multiplicands to avoid overflow.

(cmm_size, current_minor_maps): Use ptrdiff_t, not int, to count maps.
(current_minor_maps): Check for size calculation overflow.
* keymap.h: Change prototypes to match the above.

(read_char, menu_bar_items, tool_bar_items, read_char_x_menu_prompt)
(read_char_minibuf_menu_width, read_char_minibuf_menu_prompt)
(follow_key, read_key_sequence): Use ptrdiff_t, not int, to count maps.
(read_char_minibuf_menu_prompt): Check for overflow in size
calculations.  Don't update size until allocation succeeds.  Redo
calculations to avoid overflow.
* keyboard.h: Change prototypes to match the above.

(RANGED_INTEGERP, TYPE_RANGED_INTEGERP): Remove; these are duplicate
now that they've been promoted to lisp.h.
(x_allocate_bitmap_record, x_alloc_image_color)
(make_image_cache, cache_image, xpm_load):
Don't update size until alloc is done.
(xpm_load, lookup_rgb_color, lookup_pixel_color, x_to_xcolors)
(x_detect_edges):
Check for size calculation overflow.
(ct_colors_allocated_max): New constant.
(x_to_xcolors, x_detect_edges): Reorder multiplicands to avoid
overflow.

(get_utf8_string, xg_store_widget_in_map):
Check for size-calculation overflow.
(get_utf8_string): Use ptrdiff_t, not size_t, where either will
do, as we prefer signed integers.
(id_to_widget.max_size, id_to_widget.used)
(xg_store_widget_in_map, xg_remove_widget_from_map)
(xg_get_widget_from_map, xg_get_scroll_id_for_window)
(xg_remove_scroll_bar, xg_update_scrollbar_pos):
Use and return ptrdiff_t, not int.
(xg_gtk_scroll_destroy): Don't assume ptrdiff_t fits in int.
* gtkutil.h: Change prototypes to match the above.

(ftfont_get_open_type_spec, setup_otf_gstring, ftfont_shape_by_flt):
Check for integer overflow in size calculations.

This is for the members text_lines, text_cols, total_lines, total_cols,
where the system imposes an 'int' limit.

(set_menu_bar_lines, x_set_frame_parameters, x_set_scroll_bar_width)
(x_figure_window_size): Check for integer overflow.
(x_set_alpha): Do not assume XINT fits in int.

(init_eval_once, grow_specpdl): Don't update size until alloc succeeds.
(call_debugger, grow_specpdl): Redo calculations to avoid overflow.

(set_time_zone_rule): Don't assume environment length fits in int.
(message_length): Now ptrdiff_t, not int.
(Fmessage_box): Don't update size until allocation succeeds.
Don't assume message length fits in int.
(Fformat): Use ptrdiff_t, not EMACS_INT, where ptrdiff_t will do.

(get_doc_string_buffer_size): Now ptrdiff_t, not int.
(get_doc_string): Check for size calculation overflow.
Don't update size until allocation succeeds.
(get_doc_string, Fsubstitute_command_keys): Use ptrdiff_t, not
EMACS_INT, where ptrdiff_t will do.
(Fsubstitute_command_keys): Check for string overflow.

* dispextern.h (struct glyph_pool.nglyphs): Now ptrdiff_t, not int.
* dispnew.c (adjust_glyph_matrix, realloc_glyph_pool, scrolling_window):
Check for overflow in size calculations.
(line_draw_cost, realloc_glyph_pool, add_row_entry):
Don't assume glyph table len fits in int.
(struct row_entry.bucket, row_entry_pool_size, row_entry_idx)
(row_table_size): Now ptrdiff_t, not int.
(scrolling_window): Avoid overflow in size calculations.
Don't update size until allocation succeeds.
* fns.c (concat): Check for overflow in size calculations.
(next_almost_prime): Verify NEXT_ALMOST_PRIME_LIMIT.
* lisp.h (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): New macros.
(NEXT_ALMOST_PRIME_LIMIT): New constant.

(get_composition_id): Check for overflow in glyph length calculations.

(produce_chars): Redo buffer-overflow calculations to avoid
unnecessary integer overflow.  Check for size overflow.
(encode_coding_object): Don't update size until xmalloc succeeds.