* xgselect.c (xg_select): Check for size calculation overflow.

Don't update size until alloc done.

diff --git a/src/ChangeLog b/src/ChangeLog
index 7a0543e46c57ff688ff07ad2629c9f48209b6df9..b5c5afd7a1ebf498bae85a5055f4f92b0f7b797d 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,8 @@
 2011-07-29  Paul Eggert  <eggert@cs.ucla.edu>
 
+       * xgselect.c (xg_select): Check for size calculation overflow.
+       Don't update size until alloc done.
+
        * xfns.c: Integer and memory overflow fixes.
        (x_encode_text, x_set_name_internal, Fx_change_window_property):
        Use ptrdiff_t, not int, to count sizes, since they can exceed

diff --git a/src/xgselect.c b/src/xgselect.c
index 9ccdd37489f00f368f74557f68e6d0c82f5857de..d1844610077d94b1324628802c4399f3b9115ff5 100644 (file)
--- a/src/xgselect.c
+++ b/src/xgselect.c
@@ -54,10 +54,16 @@ xg_select (int max_fds, SELECT_TYPE *rfds, SELECT_TYPE *wfds, SELECT_TYPE *efds,
   do {
     if (n_gfds > gfds_size)
       {
-        while (n_gfds > gfds_size)
-          gfds_size *= 2;
+       int gfds_size_max =
+         min (INT_MAX, min (PTRDIFF_MAX, SIZE_MAX) / sizeof *gfds);
+       int size;
+       if (gfds_size_max / 2 < n_gfds)
+         memory_full (SIZE_MAX);
+       size = 2 * n_gfds;
+       gfds_size = 0;
         xfree (gfds);
-        gfds = xmalloc (sizeof (*gfds) * gfds_size);
+       gfds = xmalloc (sizeof *gfds * size);
+       gfds_size = size;
       }
 
     n_gfds = g_main_context_query (context,