From: Paul Eggert Date: Tue, 19 Jul 2011 20:33:28 +0000 (-0700) Subject: Merge from trunk. X-Git-Tag: emacs-pretest-24.0.90~104^2~152^2~134^2 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=0d8de0fd0a5a63cc9558b5c99f9c7f1ddcaf338a;p=emacs.git Merge from trunk. --- 0d8de0fd0a5a63cc9558b5c99f9c7f1ddcaf338a diff --cc src/ChangeLog index 506396e9583,e098e536efb..b72de32ffc3 --- a/src/ChangeLog +++ b/src/ChangeLog @@@ -1,202 -1,51 +1,250 @@@ - 2011-07-17 Paul Eggert ++2011-07-19 Paul Eggert + + Integer signedness and overflow and related fixes. (Bug#9079) + + * bidi.c: Integer size and overflow fixes. + (bidi_cache_size, bidi_cache_idx, bidi_cache_last_idx) + (bidi_cache_start, bidi_cache_fetch_state, bidi_cache_search) + (bidi_cache_find_level_change, bidi_cache_ensure_space) + (bidi_cache_iterator_state, bidi_cache_find, bidi_cache_start_stack) + (bidi_find_other_level_edge): + Use ptrdiff_t instead of EMACS_INT where either will do. + This works better on 32-bit hosts configured --with-wide-int. + (bidi_cache_ensure_space): Check for size-calculation overflow. + Use % rather than repeated addition, for better worst-case speed. + Don't set bidi_cache_size until after xrealloc returns, because it + might not return. + (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow. + (bidi_cache_ensure_space): Also check that the bidi cache size + does not exceed that of the largest Lisp string or buffer. See Eli + Zaretskii in . + + * alloc.c (__malloc_size_t): Remove. + All uses replaced by size_t. See Andreas Schwab's note + . + + * image.c: Improve checking for integer overflow. + (check_image_size): Assume that f is nonnull, since + it is always nonnull in practice. This is one less thing to + worry about when checking for integer overflow later. + (x_check_image_size): New function, which checks for integer + overflow issues inside X. + (x_create_x_image_and_pixmap, xbm_read_bitmap_data): Use it. + This removes the need for a memory_full check. + (xbm_image_p): Rewrite to avoid integer multiplication overflow. + (Create_Pixmap_From_Bitmap_Data, xbm_load): Use x_check_image_size. + (xbm_read_bitmap_data): Change locals back to 'int', since + their values must fit in 'int'. + (xpm_load_image, png_load, tiff_load): + Invoke x_create_x_image_and_pixmap earlier, + to avoid much needless work if the image is too large. + (tiff_load): Treat overly large images as if + x_create_x_image_and_pixmap failed, not as malloc failures. + (gs_load): Use x_check_image_size. + + * gtkutil.c: Omit integer casts. + (xg_get_pixbuf_from_pixmap): Remove unnecessary cast. + (xg_set_toolkit_scroll_bar_thumb): Rewrite to avoid need for cast. + + * image.c (png_load): Don't assume height * row_bytes fits in 'int'. + + * xfaces.c (Fbitmap_spec_p): Fix integer overflow bug. + Without this fix, (bitmap-spec-p '(34359738368 1 "x")) + would wrongly return t on a 64-bit host. + + * dispnew.c (init_display): Use *_RANGE_OVERFLOW macros. + The plain *_OVERFLOW macros run afoul of GCC bug 49705 + + and therefore cause GCC to emit a bogus diagnostic in some cases. + + * image.c: Integer signedness and overflow and related fixes. + This is not an exhaustive set of fixes, but it's time to + record what I've got. + (lookup_pixel_color, check_image_size): Remove redundant decls. + (check_image_size): Don't assume that arbitrary EMACS_INT values + fit in 'int', or that arbitrary 'double' values fit in 'int'. + (x_alloc_image_color, x_create_x_image_and_pixmap, png_load) + (tiff_load, imagemagick_load_image): + Check for overflow in size calculations. + (x_create_x_image_and_pixmap): Remove unnecessary test for + xmalloc returning NULL; that can't happen. + (xbm_read_bitmap_data): Don't assume sizes fit into 'int'. + (xpm_color_bucket): Use better integer hashing function. + (xpm_cache_color): Don't possibly over-allocate memory. + (struct png_memory_storage, tiff_memory_source, tiff_seek_in_memory) + (gif_memory_source): + Use ptrdiff_t, not int or size_t, to record sizes. + (png_load): Don't assume values greater than 2**31 fit in 'int'. + (our_stdio_fill_input_buffer): Prefer ptrdiff_t to size_t when + either works, as we prefer signed integers. + (tiff_read_from_memory, tiff_write_from_memory): + Return tsize_t, not size_t, since that's what the TIFF API wants. + (tiff_read_from_memory): Don't fail simply because the read would + go past EOF; instead, return a short read. + (tiff_load): Omit no-longer-needed casts. + (Fimagemagick_types): Don't assume size fits into 'int'. + + Improve hashing quality when configured --with-wide-int. + * fns.c (hash_string): New function, taken from sxhash_string. + Do not discard information about ASCII character case; this + discarding is no longer needed. + (sxhash-string): Use it. Change sig to match it. Caller changed. + * lisp.h: Declare it. + * lread.c (hash_string): Remove, since we now use fns.c's version. + The fns.c version returns a wider integer if --with-wide-int is + specified, so this should help the quality of the hashing a bit. + + * emacs.c: Integer overflow minor fix. + (heap_bss_diff): Now uprintmax_t, not unsigned long. All used changed. + Define only if GNU_LINUX. + (main, Fdump_emacs): Set and use heap_bss_diff only if GNU_LINUX. + + * dispnew.c: Integer signedness and overflow fixes. + Remove unnecessary forward decls, that were a maintenance hassle. + (history_tick): Now uprintmax_t, so it's more likely to avoid overflow. + All uses changed. + (adjust_glyph_matrix, realloc_glyph_pool, adjust_frame_message_buffer) + (scrolling_window): Use ptrdiff_t, not int, for byte count. + (prepare_desired_row, line_draw_cost): + Use int, not unsigned, where either works. + (save_current_matrix, restore_current_matrix): + Use ptrdiff_t, not size_t, where either works. + (init_display): Check for overflow more accurately, and without + relying on undefined behavior. + + * editfns.c (pWIDE, pWIDElen, signed_wide, unsigned_wide): + Remove, replacing with the new symbols in lisp.h. All uses changed. + * fileio.c (make_temp_name): + * filelock.c (lock_file_1, lock_file): + * xdisp.c (message_dolog): + Don't assume PRIdMAX etc. works; this isn't portable to pre-C99 hosts. + Use pMd etc. instead. + * lisp.h (printmax_t, uprintmax_t, pMd, pMu): New types and macros, + replacing the pWIDE etc. symbols removed from editfns.c. + + * keyboard.h (num_input_events): Now uintmax_t. + This is (very slightly) less likely to mess up due to wraparound. + All uses changed. + + * buffer.c: Integer signedness fixes. + (alloc_buffer_text, enlarge_buffer_text): + Use ptrdiff_t rather than size_t when either will do, as we prefer + signed integers. + + * alloc.c: Integer signedness and overflow fixes. + Do not impose an arbitrary 32-bit limit on malloc sizes when debugging. + (__malloc_size_t): Default to size_t, not to int. + (pure_size, pure_bytes_used_before_overflow, stack_copy_size) + (Fgarbage_collect, mark_object_loop_halt, mark_object): + Prefer ptrdiff_t to size_t when either would do, as we prefer + signed integers. + (XMALLOC_OVERRUN_CHECK_OVERHEAD): New macro. + (xmalloc_overrun_check_header, xmalloc_overrun_check_trailer): + Now const. Initialize with values that are in range even if char + is signed. + (XMALLOC_PUT_SIZE, XMALLOC_GET_SIZE): Remove, replacing with ... + (xmalloc_put_size, xmalloc_get_size): New functions. All uses changed. + These functions do the right thing with sizes > 2**32. + (check_depth): Now ptrdiff_t, not int. + (overrun_check_malloc, overrun_check_realloc, overrun_check_free): + Adjust to new way of storing sizes. Check for size overflow bugs + in rest of code. + (STRING_BYTES_MAX): Adjust to new overheads. The old code was + slightly wrong anyway, as it missed one instance of + XMALLOC_OVERRUN_CHECK_OVERHEAD. + (refill_memory_reserve): Omit needless cast to size_t. + (mark_object_loop_halt): Mark as externally visible. + + * xselect.c: Integer signedness and overflow fixes. + (Fx_register_dnd_atom, x_handle_dnd_message): + Use ptrdiff_t, not size_t, since we prefer signed. + (Fx_register_dnd_atom): Check for ptrdiff_t (and size_t) overflow. + * xterm.h (struct x_display_info): Use ptrdiff_t, not size_t, for + x_dnd_atoms_size and x_dnd_atoms_length. + + * doprnt.c: Prefer signed to unsigned when either works. + * eval.c (verror): + * doprnt.c (doprnt): + * lisp.h (doprnt): + * xdisp.c (vmessage): + Use ptrdiff_t, not size_t, when using or implementing doprnt, + since the sizes cannot exceed ptrdiff_t bounds anyway, and we + prefer signed arithmetic to avoid comparison confusion. + * doprnt.c (doprnt): Avoid a "+ 1" that can't overflow, + but is a bit tricky. + + Assume freestanding C89 headers, string.h, stdlib.h. + * data.c, doprnt.c, floatfns.c, print.c: + Include float.h unconditionally. + * gmalloc.c: Assume C89-at-least behavior for preprocessor, + limits.h, stddef.h, string.h. Use memset instead of 'flood'. + * regex.c: Likewise for stddef.h, string.h. + (ISASCII): Remove; can assume it returns 1 now. All uses removed. + * s/aix4-2.h (HAVE_STRING_H): Remove obsolete undef. + * s/ms-w32.h (HAVE_LIMITS_H, HAVE_STRING_H, HAVE_STDLIB_H) + (STDC_HEADERS): Remove obsolete defines. + * sysdep.c: Include limits.h unconditionally. + + Assume support for memcmp, memcpy, memmove, memset. + * lisp.h, sysdep.c (memcmp, memcpy, memmove, memset): + * regex.c (memcmp, memcpy): + Remove; we assume C89 now. + + * gmalloc.c (memcpy, memset, memmove): Remove; we assume C89 now. + (__malloc_safe_bcopy): Remove; no longer needed. + + * lisp.h (struct vectorlike_header, struct Lisp_Subr): Signed sizes. + Use EMACS_INT, not EMACS_UINT, for sizes. The code works equally + well either way, and we prefer signed to unsigned. + + 2011-07-19 Paul Eggert + + Port to OpenBSD. + See http://lists.gnu.org/archive/html/emacs-devel/2011-07/msg00688.html + and the surrounding thread. + * minibuf.c (read_minibuf_noninteractive): Rewrite to use getchar + rather than fgets, and retry after EINTR. Otherwise, 'emacs + --batch -f byte-compile-file' fails on OpenBSD if an inactivity + timer goes off. + * s/openbsd.h (BROKEN_SIGIO): Define. + * unexelf.c (unexec) [__OpenBSD__]: + Don't update the .mdebug section of the Alpha COFF symbol table. + + 2011-07-19 Lars Magne Ingebrigtsen + + * lread.c (syms_of_lread): Clarify when `lexical-binding' is used + (bug#8460). + + 2011-07-18 Paul Eggert + + * fileio.c (Fcopy_file) [!MSDOS]: Tighten created file's mask. + This fixes some race conditions on the permissions of any newly + created file. + + * alloc.c (valid_pointer_p): Use pipe, not open. + This fixes some permissions issues when debugging. + + * fileio.c (Fcopy_file): Adjust mode if fchown fails. (Bug#9002) + If fchown fails to set both uid and gid, try to set just gid, + as that is sometimes allowed. Adjust the file's mode to eliminate + setuid or setgid bits that are inappropriate if fchown fails. + + 2011-07-18 Stefan Monnier + + * xdisp.c (next_element_from_string, next_element_from_buffer): Use EQ + to compare Lisp_Objects. + * gnutls.c (syms_of_gnutls): Rename Vgnutls_log_level to + global_gnutls_log_level, don't mistake it for a Lisp_Object. + (init_gnutls_functions, emacs_gnutls_handle_error): Fix up uses. + + 2011-07-17 Andreas Schwab + + * lread.c (read_integer): Unread even EOF character. + (read1): Likewise. Properly record start position of symbol. + + * lread.c (read1): Read `#:' as empty uninterned symbol if no + symbol character follows. + 2011-07-17 Paul Eggert * fileio.c (Fcopy_file): Pacify gcc re fchown. (Bug#9002)