git.eshelyaron.com Git - emacs.git/commit

author	Paul Eggert <eggert@cs.ucla.edu>
	Sat, 20 Jul 2024 22:52:05 +0000 (15:52 -0700)
committer	Eshel Yaron <me@eshelyaron.com>
	Mon, 22 Jul 2024 10:38:28 +0000 (12:38 +0200)
commit	e0f50bd4c392746fc261b89523baf1e442cbff3a
tree	9d6780bc9ffa74af3f051da41ccaa57cdf89a6f5	tree \| snapshot
parent	2e25f5b062dd6d2657ea8773ff04ad21c10b555a	commit \| diff

Fix bool vector length overflow

* src/alloc.c (make_clear_bool_vector): It’s now the caller’s
responsibility to make sure the bool vector length is in range.
Add an eassert to double-check this. This lets some locals be
ptrdiff_t not EMACS_INT.
(Fmake_bool_vector, Fbool_vector):
Check that bool vector lengths are in range.
* src/lisp.h (BOOL_VECTOR_LENGTH_MAX): New macro.
(bool_vector_words, bool_vector_bytes): Avoid undefined
behavior if size == EMACS_INT_MAX - (BITS_PER_BITS_WORD - 1).
This is mostly theoretical but it’s easy to do it right.
* src/lread.c (read_bool_vector): Use EMACS_INT, not just ptrdiff_t.
Check that length doesn’t exceed BOOL_VECTOR_LENGTH_MAX.
This fixes an unlikely integer overflow where the calculated size
went negative.

(cherry picked from commit 515e5ad0de133f0a3d501bd6290ccc51d8462955)

src/alloc.c		diff \| blob \| history
src/lisp.h		diff \| blob \| history
src/lread.c		diff \| blob \| history