* xdisp.c: Integer and memory overflow fixes.

(store_mode_line_noprop_char, x_consider_frame_title):
Use ptrdiff_t, not int, for sizes.
(store_mode_line_noprop_char): Don't update size until alloc done.

diff --git a/src/ChangeLog b/src/ChangeLog
index 144ec31c518975d1401f25d5f85f8d25cb57c7df..a7bc6bdd4618bd3d7bdb528260362239cfd0c693 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,10 @@
 2011-07-29  Paul Eggert  <eggert@cs.ucla.edu>
 
+       * xdisp.c: Integer and memory overflow fixes.
+       (store_mode_line_noprop_char, x_consider_frame_title):
+       Use ptrdiff_t, not int, for sizes.
+       (store_mode_line_noprop_char): Don't update size until alloc done.
+
        * tparam.c: Integer and memory overflow fixes.
        (tparam1): Use ptrdiff_t, not int, for sizes.
        Don't update size until alloc done.

diff --git a/src/xdisp.c b/src/xdisp.c
index 55296db0b8fb2bb30d40b8b575e36917bebe4b0b..92a7b2008467bc549b03863cf13449cf0320ef27 100644 (file)
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -10252,8 +10252,12 @@ store_mode_line_noprop_char (char c)
      double the buffer's size.  */
   if (mode_line_noprop_ptr == mode_line_noprop_buf_end)
     {
-      int len = MODE_LINE_NOPROP_LEN (0);
-      int new_size = 2 * len * sizeof *mode_line_noprop_buf;
+      ptrdiff_t len = MODE_LINE_NOPROP_LEN (0);
+      ptrdiff_t new_size;
+
+      if (STRING_BYTES_BOUND / 2 < len)
+       memory_full (SIZE_MAX);
+      new_size = 2 * len;
       mode_line_noprop_buf = (char *) xrealloc (mode_line_noprop_buf, new_size);
       mode_line_noprop_buf_end = mode_line_noprop_buf + new_size;
       mode_line_noprop_ptr = mode_line_noprop_buf + len;
@@ -10317,9 +10321,9 @@ x_consider_frame_title (Lisp_Object frame)
       /* Do we have more than one visible frame on this X display?  */
       Lisp_Object tail;
       Lisp_Object fmt;
-      int title_start;
+      ptrdiff_t title_start;
       char *title;
-      int len;
+      ptrdiff_t len;
       struct it it;
       int count = SPECPDL_INDEX ();