From: Eli Zaretskii <eliz@gnu.org>
Date: Fri, 29 Apr 2011 19:47:29 +0000 (+0300)
Subject: Lift the MOST_POSITIVE_FIXNUM/4 limitation on visited files (bug#8528).
X-Git-Tag: emacs-pretest-24.0.90~104^2~275^2~169
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=15cbd324fd48e47abd57b8d92c3406c866169d21;p=emacs.git

Lift the MOST_POSITIVE_FIXNUM/4 limitation on visited files (bug#8528).

 src/fileio.c (Finsert_file_contents): Don't limit file size to 1/4
 of MOST_POSITIVE_FIXNUM.
 src/coding.c (coding_alloc_by_realloc): Error out if destination
 will grow beyond MOST_POSITIVE_FIXNUM.
 (decode_coding_emacs_mule): Abort if there isn't enough place in
 charbuf for the composition carryover bytes.  Reserve an extra
 space for up to 2 characters produced in a loop.
 (decode_coding_iso_2022): Abort if there isn't enough place in
 charbuf for the composition carryover bytes.
---

diff --git a/src/ChangeLog b/src/ChangeLog
index 14d5ac9de48..7bfb291707b 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,4 +1,18 @@
-2011-04-29  Eli Zaretskii  <eliz@gnu.org>
+2011-04-21  Eli Zaretskii  <eliz@gnu.org>
+
+	Lift the MOST_POSITIVE_FIXNUM/4 limitation on visited files.
+	* fileio.c (Finsert_file_contents): Don't limit file size to 1/4
+	of MOST_POSITIVE_FIXNUM.  (Bug#8528)
+
+	* coding.c (coding_alloc_by_realloc): Error out if destination
+	will grow beyond MOST_POSITIVE_FIXNUM.
+	(decode_coding_emacs_mule): Abort if there isn't enough place in
+	charbuf for the composition carryover bytes.  Reserve an extra
+	space for up to 2 characters produced in a loop.
+	(decode_coding_iso_2022): Abort if there isn't enough place in
+	charbuf for the composition carryover bytes.
+
+2011-04-21  Eli Zaretskii  <eliz@gnu.org>
 
 	* doprnt.c (doprnt) [!HAVE_LONG_LONG_INT]: Error out instead of
 	aborting when %lld or %lll format is passed.
diff --git a/src/coding.c b/src/coding.c
index c129c94203c..d17346efdcb 100644
--- a/src/coding.c
+++ b/src/coding.c
@@ -1071,6 +1071,8 @@ coding_set_destination (struct coding_system *coding)
 static void
 coding_alloc_by_realloc (struct coding_system *coding, EMACS_INT bytes)
 {
+  if (coding->dst_bytes >= MOST_POSITIVE_FIXNUM - bytes)
+    error ("Maximum size of buffer or string exceeded");
   coding->destination = (unsigned char *) xrealloc (coding->destination,
 						    coding->dst_bytes + bytes);
   coding->dst_bytes += bytes;
@@ -2333,7 +2335,9 @@ decode_coding_emacs_mule (struct coding_system *coding)
   /* We may produce two annotations (charset and composition) in one
      loop and one more charset annotation at the end.  */
   int *charbuf_end
-    = coding->charbuf + coding->charbuf_size - (MAX_ANNOTATION_LENGTH * 3);
+    = coding->charbuf + coding->charbuf_size - (MAX_ANNOTATION_LENGTH * 3)
+      /* We can produce up to 2 characters in a loop.  */
+      - 1;
   EMACS_INT consumed_chars = 0, consumed_chars_base;
   int multibytep = coding->src_multibyte;
   EMACS_INT char_offset = coding->produced_char;
@@ -2348,6 +2352,8 @@ decode_coding_emacs_mule (struct coding_system *coding)
     {
       int i;
 
+      if (charbuf_end - charbuf < cmp_status->length)
+	abort ();
       for (i = 0; i < cmp_status->length; i++)
 	*charbuf++ = cmp_status->carryover[i];
       coding->annotated = 1;
@@ -3479,6 +3485,8 @@ decode_coding_iso_2022 (struct coding_system *coding)
 
   if (cmp_status->state != COMPOSING_NO)
     {
+      if (charbuf_end - charbuf < cmp_status->length)
+	abort ();
       for (i = 0; i < cmp_status->length; i++)
 	*charbuf++ = cmp_status->carryover[i];
       coding->annotated = 1;
diff --git a/src/fileio.c b/src/fileio.c
index dcba6b6c0ae..7e6fd8c82a8 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -3245,15 +3245,10 @@ variable `last-coding-system-used' to the coding system actually used.  */)
   record_unwind_protect (close_file_unwind, make_number (fd));
 
 
-  /* Arithmetic overflow can occur if an Emacs integer cannot represent the
-     file size, or if the calculations below overflow.  The calculations below
-     double the file size twice, so check that it can be multiplied by 4
-     safely.
-
-     Also check whether the size is negative, which can happen on a platform
-     that allows file sizes greater than the maximum off_t value.  */
+  /* Check whether the size is too large or negative, which can happen on a
+     platform that allows file sizes greater than the maximum off_t value.  */
   if (! not_regular
-      && ! (0 <= st.st_size && st.st_size <= MOST_POSITIVE_FIXNUM / 4))
+      && ! (0 <= st.st_size && st.st_size <= MOST_POSITIVE_FIXNUM))
     error ("Maximum buffer size exceeded");
 
   /* Prevent redisplay optimizations.  */