Make vmessage a bit safer

* src/xdisp.c (vmessage): Avoid undefined behavior if
FRAME_MESSAGE_BUF_SIZE (f) is zero, or if doprnt generates output
containing only encoding errors.  Although it’s not clear whether
either is possible, it is better to be safe.  Also, clarify via a
new local message_bufsize.

(cherry picked from commit 8e7588a2675655b88dc3ac5b7ed46ab6f1b891ec)

diff --git a/src/xdisp.c b/src/xdisp.c
index fac1d53ff128159ac61165514cbc75c2986d1779..0e1311d1db8cb74f6bd94fa23aee2669851fd3b0 100644 (file)
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -12586,17 +12586,18 @@ vmessage (const char *m, va_list ap)
            {
              ptrdiff_t len;
              ptrdiff_t maxsize = FRAME_MESSAGE_BUF_SIZE (f);
+             ptrdiff_t message_bufsize = maxsize + MAX_MULTIBYTE_LENGTH;
              USE_SAFE_ALLOCA;
-             char *message_buf = SAFE_ALLOCA (maxsize + MAX_MULTIBYTE_LENGTH);
+             char *message_buf = SAFE_ALLOCA (message_bufsize);
 
-             len = doprnt (message_buf, maxsize + MAX_MULTIBYTE_LENGTH, m, 0, ap);
+             len = doprnt (message_buf, message_bufsize, m, 0, ap);
              /* doprnt returns the buffer size minus one when it
                 truncated a multibyte sequence.  Work around that by
                 truncating to the last valid multibyte head.  */
-             if (len >= maxsize)
+             if (0 < maxsize && maxsize <= len)
                {
                  len = maxsize - 1;
-                 while (!CHAR_HEAD_P (message_buf[len]))
+                 while (0 < len && !CHAR_HEAD_P (message_buf[len]))
                    len--;
                  message_buf[len] = 0;
                }