Fix integer overflow in oversize vectors

* src/alloc.c (allocate_vector): Fix integer overflow when
allocating very large vectors, by taking large_vector_offset
into account.  Assume C99.

diff --git a/src/alloc.c b/src/alloc.c
index 596de3af85e27e4f559bb910e84a23df742cd6b4..8eaa810e53ad64e8e1ac05a7f17d27ad10a051f8 100644 (file)
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -3388,12 +3388,11 @@ allocate_vectorlike (ptrdiff_t len)
 struct Lisp_Vector *
 allocate_vector (EMACS_INT len)
 {
-  struct Lisp_Vector *v;
-  ptrdiff_t nbytes_max = min (PTRDIFF_MAX, SIZE_MAX);
-
-  if (min ((nbytes_max - header_size) / word_size, MOST_POSITIVE_FIXNUM) < len)
+  ptrdiff_t wordbytes_max = (min (PTRDIFF_MAX, SIZE_MAX)
+                            - header_size - large_vector_offset);
+  if (min (wordbytes_max / word_size, MOST_POSITIVE_FIXNUM) < len)
     memory_full (SIZE_MAX);
-  v = allocate_vectorlike (len);
+  struct Lisp_Vector *v = allocate_vectorlike (len);
   if (len)
     v->header.size = len;
   return v;