* bidi.c (bidi_cache_ensure_space): Also check that the bidi cache size

does not exceed that of the largest Lisp string or buffer.  See Eli
Zaretskii in <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#29>.

diff --git a/src/ChangeLog b/src/ChangeLog
index c19786fb72c266e8bd073e196e51648be6bcfc58..493b3277f523986428b15de6dbcccc141c675327 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -15,6 +15,9 @@
        Don't set bidi_cache_size until after xrealloc returns, because it
        might not return.
        (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow.
+       (bidi_cache_ensure_space): Also check that the bidi cache size
+       does not exceed that of the largest Lisp string or buffer.  See Eli
+       Zaretskii in <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#29>.
 
        * alloc.c (__malloc_size_t): Remove.
        All uses replaced by size_t.  See Andreas Schwab's note

diff --git a/src/bidi.c b/src/bidi.c
index 1999606639baedcf738c7ec6b3371cde7f121ba9..697ebb92856f903ceb66897d3314ddf616c4556e 100644 (file)
--- a/src/bidi.c
+++ b/src/bidi.c
@@ -464,9 +464,16 @@ bidi_cache_ensure_space (ptrdiff_t idx)
   if (idx >= bidi_cache_size)
     {
       ptrdiff_t new_size;
-      ptrdiff_t max_size =
-       min (PTRDIFF_MAX, SIZE_MAX) / elsz / BIDI_CACHE_CHUNK * BIDI_CACHE_CHUNK;
-      if (max_size <= idx)
+
+      /* The bidi cache cannot be larger than the largest Lisp string
+        or buffer.  */
+      ptrdiff_t string_or_buffer_bound =
+       max (BUF_BYTES_MAX, STRING_BYTES_BOUND);
+
+      /* Also, it cannot be larger than what C can represent.  */
+      ptrdiff_t c_bound = min (PTRDIFF_MAX, SIZE_MAX) / elsz;
+
+      if (min (string_or_buffer_bound, c_bound) <= idx)
        memory_full (SIZE_MAX);
       new_size = idx - idx % BIDI_CACHE_CHUNK + BIDI_CACHE_CHUNK;
       bidi_cache = (struct bidi_it *) xrealloc (bidi_cache, new_size * elsz);