* character.c (Fstring): Check for size-calculation overflow.

author Paul Eggert <eggert@cs.ucla.edu>

Thu, 28 Jul 2011 20:30:20 +0000 (13:30 -0700)

committer Paul Eggert <eggert@cs.ucla.edu>

Thu, 28 Jul 2011 20:30:20 +0000 (13:30 -0700)
author Paul Eggert <eggert@cs.ucla.edu>
Thu, 28 Jul 2011 20:30:20 +0000 (13:30 -0700)
committer Paul Eggert <eggert@cs.ucla.edu>
Thu, 28 Jul 2011 20:30:20 +0000 (13:30 -0700)
diff --git a/src/ChangeLog b/src/ChangeLog

index b35f5607619c9a41c4e8fef36d3ae19d58402dfd..9f50e928fac9997c7176d70549ff1016a6c4bc68 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,7 @@
  2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
  
+       * character.c (Fstring): Check for size-calculation overflow.
+
         * ccl.c: Integer and memory overflow fixes.
         (Fccl_execute_on_string): Check for memory overflow.
         Use ptrdiff_t rather than EMACS_INT where ptrdiff_t will do.
diff --git a/src/character.c b/src/character.c

index 5e2eccf54dbf7de58e19b4c523d469f2d6e5823e..50b5b252871fb316bbd43f2d99b81cadf1eb372a 100644 (file)
--- a/src/character.c
+++ b/src/character.c
@@ -902,6 +902,8 @@ usage: (string &rest CHARACTERS)  */)
    Lisp_Object str;
    USE_SAFE_ALLOCA;
  
+  if (min (PTRDIFF_MAX, SIZE_MAX) / MAX_MULTIBYTE_LENGTH < n)
+    memory_full (SIZE_MAX);
    SAFE_ALLOCA (buf, unsigned char *, MAX_MULTIBYTE_LENGTH * n);
    p = buf;
author	Paul Eggert <eggert@cs.ucla.edu>
	Thu, 28 Jul 2011 20:30:20 +0000 (13:30 -0700)
committer	Paul Eggert <eggert@cs.ucla.edu>
	Thu, 28 Jul 2011 20:30:20 +0000 (13:30 -0700)
src/ChangeLog		patch \| blob \| history
src/character.c		patch \| blob \| history