From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 4 Sep 2011 23:58:01 +0000 (-0700)
Subject: Merge from trunk.
X-Git-Tag: emacs-pretest-24.0.90~104^2~153
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=1c262cae409ec55a234c89b3b74a13a77c7f595a;p=emacs.git

Merge from trunk.
---

1c262cae409ec55a234c89b3b74a13a77c7f595a
diff --cc ChangeLog
index f760b7bf5d8,aae3e190049..ab2bf756a13
--- a/ChangeLog
+++ b/ChangeLog
@@@ -1,37 -1,7 +1,41 @@@
- 2011-09-03  Paul Eggert  <eggert@cs.ucla.edu>
++2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
 +
 +	Merge from gnulib, using build-aux to remove clutter (Bug#9169).
 +	* autogen/README: Update destination list.
 +	* autogen/copy_autogen, autogen/update_autogen, .bzrignore:
 +	The autogenerated files compile, config.guess,
 +	config.sub, depcomp, install-sh, and missing are now in build-aux.
 +	* m4/largefile.m4: New file, so that Emacs does not mess up when
 +	accessing files with large inode numbers in MacOS X 10.5 and later.
 +	* m4/nocrash.m4: New file, to avoid triggering background debugger
 +	and/or create core dumps during 'configure'.
 +	* build-aux/move-if-change: Renamed from move-if-change.
 +	* build-aux/snippet/arg-nonnull.h: Renamed from arg-nonnull.h.
 +	* build-aux/snippet/c++defs.h: Renamed from c++defs.h.
 +	* build-aux/snippet/warn-on-use.h: Renamed from warn-on-use.h.
 +	* build-aux/snippet/_Noreturn.h: New file, for draft C1X _Noreturn.
 +	* Makefile.in (epaths-force, sync-from-gnulib):
 +	move-if-change is now in build-aux.
 +	(GNULIB_TOOL_FLAGS): Avoid threadlib; this is now a prerequisite
 +	of gnulib's pthread_sigmask module, but Emacs doesn't need it.
 +	(mkdir): install-sh is now in build-aux.
 +	* config.bat: c++defs.h is now in build-aux/snippets.
 +	* configure.in: Specify AC_CONFIG_AUX_DIR with build-aux (the
 +	usual parameter).
 +	* lib/gnulib.mk, m4/gl-comp.m4: Regenerate.
 +	* lib/makefile.w32-in (ARG_NONNULL_H): arg-nonnull.h moved
 +	to build-aux/snippet.
 +	* lib/pthread_sigmask.c, lib/stdlib.in.h, m4/extensions.m4:
 +	* m4/getopt.m4, m4/gnulib-common.m4, m4/pthread_sigmask.m4:
 +	Merge from gnuilib.  This fixes porting bugs on Cygwin, Irix, and
 +	Solaris, enables MacOS extensions, and enables nocrash during
 +	'configure'.
 +	* make-dist: Adjust to new build-aux and build-aux/snippit dirs.
 +
+ 2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
+ 
+ 	* configure.in (snprintf): New check.
+ 
  2011-08-30  Paul Eggert  <eggert@cs.ucla.edu>
  
  	* configure.in (opsys): Change pattern to *-*-linux*
diff --cc lib-src/ChangeLog
index 00876d2a044,9041eae8bbe..42073641cb9
--- a/lib-src/ChangeLog
+++ b/lib-src/ChangeLog
@@@ -1,8 -1,38 +1,43 @@@
- 2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
++2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
 +
 +	* Makefile.in ($(DESTDIR)${archlibdir}): install-sh moved
 +	to build-aux (Bug#9169).
 +
+ 2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
+ 
+ 	Integer and memory overflow issues (Bug#9397).
+ 
+ 	* emacsclient.c (xmalloc): Accept size_t, not unsigned int, to
+ 	avoid potential buffer overflow issues on typical 64-bit hosts.
+ 	Return void *, not long *.
+ 	(get_current_dir_name): Report a failure, instead of looping
+ 	forever, if buffer size calculation overflows.  Treat malloc
+ 	failures like realloc failures, as that has better behavior and is
+ 	more consistent.  Do not check whether xmalloc returns NULL, as
+ 	that's not possible.
+ 	(message): Do not arbitrarily truncate message to 2048 bytes when
+ 	sending it to stderr; use vfprintf instead.
+ 	(get_server_config, set_local_socket)
+ 	(start_daemon_and_retry_set_socket): Do not alloca
+ 	arbitrarily-large buffers; that's not safe.
+ 	(get_server_config, set_local_socket): Do not use sprintf when its
+ 	result might not fit in 'int'.
+ 	(set_local_socket): Do not assume uid fits in 'int'.
+ 
+ 	* etags.c (xmalloc, xrealloc): Accept size_t, not unsigned int,
+ 	to avoid potential buffer overflow issues on typical 64-bit hosts.
+ 	(whatlen_max): New static var.
+ 	(main): Avoid buffer overflow if subsidiary command length is
+ 	greater than BUFSIZ or 2*BUFSIZ + 20. Do not use sprintf when its
+ 	result might not fit in 'int'.
+ 
+ 	* movemail.c (main): Do not use sprintf when its result might not fit
+ 	in 'int'.  Instead, put the possibly-long file name into the
+ 	output of pfatal_with_name.
+ 
+ 	* update-game-score.c: Include <limits.h>
+ 	(get_user_id): Do not assume uid fits in 'int'.  Simplify.
+ 
  2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
  
  	Assume freestanding C89 headers, string.h, stdlib.h.
diff --cc src/ChangeLog
index f3953630803,9a512210497..e730c79f65b
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@@ -1,3 -1,142 +1,146 @@@
++2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
++
++	* Makefile.in (gl-stamp): move-if-change now in build-aux (Bug#9169).
++
+ 2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
+ 
+ 	sprintf-related integer and memory overflow issues (Bug#9412).
+ 
+ 	* doprnt.c (doprnt): Support printing ptrdiff_t and intmax_t values.
+ 	(esprintf, exprintf, evxprintf): New functions.
+ 	* keyboard.c (command_loop_level): Now EMACS_INT, not int.
+ 	(cmd_error): kbd macro iterations count is now EMACS_INT, not int.
+ 	(modify_event_symbol): Do not assume that the length of
+ 	name_alist_or_stem is safe to alloca and fits in int.
+ 	(Fexecute_extended_command): Likewise for function name and binding.
+ 	(Frecursion_depth): Wrap around reliably on integer overflow.
+ 	* keymap.c (push_key_description): First arg is now EMACS_INT, not int,
+ 	since some callers pass EMACS_INT values.
+ 	(Fsingle_key_description): Don't crash if symbol name contains more
+ 	than MAX_ALLOCA bytes.
+ 	* minibuf.c (minibuf_level): Now EMACS_INT, not int.
+ 	(get_minibuffer): Arg is now EMACS_INT, not int.
+ 	* lisp.h (get_minibuffer, push_key_description): Reflect API changes.
+ 	(esprintf, exprintf, evxprintf): New decls.
+ 	* window.h (command_loop_level, minibuf_level): Reflect API changes.
+ 
+ 	* dbusbind.c (signature_cat): New function.
+ 	(xd_signature, Fdbus_register_signal):
+ 	Do not overrun buffer; instead, report string overflow.
+ 
+ 	* dispnew.c (add_window_display_history): Don't overrun buffer.
+ 	Truncate instead; this is OK since it's just a log.
+ 
+ 	* editfns.c (Fcurrent_time_zone): Don't overrun buffer
+ 	even if the time zone offset is outlandishly large.
+ 	Don't mishandle offset == INT_MIN.
+ 
+ 	* emacs.c (main) [NS_IMPL_COCOA]: Don't overrun buffer
+ 	when creating daemon; the previous buffer-overflow check was incorrect.
+ 
+ 	* eval.c (verror): Simplify by rewriting in terms of evxprintf,
+ 	which has the guts of the old verror function.
+ 
+ 	* filelock.c (lock_file_1, lock_file): Don't blindly alloca long name;
+ 	use SAFE_ALLOCA instead.  Use esprintf to avoid int-overflow issues.
+ 
+ 	* font.c: Include <float.h>, for DBL_MAX_10_EXP.
+ 	(font_unparse_xlfd): Don't blindly alloca long strings.
+ 	Don't assume XINT result fits in int, or that XFLOAT_DATA * 10
+ 	fits in int, when using sprintf.  Use single snprintf to count
+ 	length of string rather than counting it via multiple sprintfs;
+ 	that's simpler and more reliable.
+ 	(font_unparse_fcname): Use it to avoid sprintf buffer overrun.
+ 	(generate_otf_features) [0 && HAVE_LIBOTF]: Use esprintf, not
+ 	sprintf, in case result does not fit in int.
+ 
+ 	* fontset.c (num_auto_fontsets): Now printmax_t, not int.
+ 	(fontset_from_font): Print it.
+ 
+ 	* frame.c (tty_frame_count): Now printmax_t, not int.
+ 	(make_terminal_frame, set_term_frame_name): Print it.
+ 	(x_report_frame_params): In X, window IDs are unsigned long,
+ 	not signed long, so print them as unsigned.
+ 	(validate_x_resource_name): Check for implausibly long names,
+ 	and don't assume name length fits in 'int'.
+ 	(x_get_resource_string): Don't blindly alloca invocation name;
+ 	use SAFE_ALLOCA.  Use esprintf, not sprintf, in case result does
+ 	not fit in int.
+ 
+ 	* gtkutil.c: Include <float.h>, for DBL_MAX_10_EXP.
+ 	(xg_check_special_colors, xg_set_geometry):
+ 	Make sprintf buffers a bit bigger, to avoid potential buffer overrun.
+ 
+ 	* lread.c (dir_warning): Don't blindly alloca buffer; use SAFE_ALLOCA.
+ 	Use esprintf, not sprintf, in case result does not fit in int.
+ 
+ 	* macros.c (executing_kbd_macro_iterations): Now EMACS_INT, not int.
+ 	(Fend_kbd_macro): Don't mishandle MOST_NEGATIVE_FIXNUM by treating
+ 	it as a large positive number.
+ 	(Fexecute_kbd_macro): Don't assume repeat count fits in int.
+ 	* macros.h (executing_kbd_macro_iterations): Now EMACS_INT, not int.
+ 
+ 	* nsterm.m ((NSSize)windowWillResize): Use esprintf, not sprintf,
+ 	in case result does not fit in int.
+ 
+ 	* print.c (float_to_string): Detect width overflow more reliably.
+ 	(print_object): Make sprintf buffer a bit bigger, to avoid potential
+ 	buffer overrun.  Don't assume list length fits in 'int'.  Treat
+ 	print length of 0 as 0, not as infinity; to be consistent with other
+ 	uses of print length in this function.  Don't overflow print length
+ 	index.  Don't assume hash table size fits in 'long', or that
+ 	vectorlike size fits in 'unsigned long'.
+ 
+ 	* process.c (make_process): Use printmax_t, not int, to format
+ 	process-name gensyms.
+ 
+ 	* sysdep.c (snprintf) [! HAVE_SNPRINTF]: New function.
+ 
+ 	* term.c (produce_glyphless_glyph): Make sprintf buffer a bit bigger
+ 	to avoid potential buffer overrun.
+ 
+ 	* xfaces.c (x_update_menu_appearance): Don't overrun buffer
+ 	if X resource line is longer than 512 bytes.
+ 
+ 	* xfns.c (x_window): Make sprintf buffer a bit bigger
+ 	to avoid potential buffer overrun.
+ 
+ 	* xterm.c (x_io_error_quitter): Don't overrun sprintf buffer.
+ 
+ 	* xterm.h (x_check_errors): Add ATTRIBUTE_FORMAT_PRINTF.
+ 
+ 2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
+ 
+ 	Integer overflow fixes for scrolling, etc.
+ 	Without these, Emacs silently mishandles large integers sometimes.
+ 	For example, "C-u 4294967297 M-x recenter" was treated as if
+ 	it were "C-u 1 M-x recenter" on a typical 64-bit host.
+ 
+ 	* xdisp.c (try_window_id): Check Emacs fixnum range before
+ 	converting to 'int'.
+ 
+ 	* window.c (window_scroll_line_based, Frecenter):
+ 	Check that an Emacs fixnum is in range before assigning it to 'int'.
+ 	(Frecenter, Fmove_to_window_line): Use EMACS_INT, not int, for
+ 	values converted from Emacs fixnums.
+ 	(Frecenter): Don't wrap around a line count if it is out of 'int'
+ 	range; instead, treat it as an extreme value.
+ 	(Fset_window_configuration, compare_window_configurations):
+ 	Use ptrdiff_t, not int, for index that might exceed 2 GiB.
+ 
+ 	* search.c (Freplace_match): Use ptrdiff_t, not int, for indexes
+ 	that can exceed INT_MAX.  Check that EMACS_INT value is in range
+ 	before assigning it to the (possibly-narrower) index.
+ 	(match_limit): Don't assume that a fixnum can fit in 'int'.
+ 
+ 	* print.c (print_object): Use ptrdiff_t, not int, for index that can
+ 	exceed INT_MAX.
+ 
+ 	* indent.c (position_indentation): Now takes ptrdiff_t, not int.
+ 	(Fvertical_motion): Don't wrap around LINES values that don't fit
+ 	in 'int'.  Instead, treat them as extreme values.  This is good
+ 	enough for windows, which can't have more than INT_MAX lines anyway.
+ 
  2011-09-03  Lars Magne Ingebrigtsen  <larsi@gnus.org>
  
  	* Require libxml/parser.h to avoid compilation warning.
@@@ -913,11 -1052,7 +1056,7 @@@
  	(re_exec): Fix return type.
  	(regexec): Fix type of `ret'.  (Bug#9203)
  
--2011-07-29  Paul Eggert  <eggert@cs.ucla.edu>
- 
- 	* Makefile.in (gl-stamp): move-if-change now in build-aux (Bug#9169).
- 
 +2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
  
  	* image.c (check_image_size): Use 1024x1024 if unknown frame (Bug#9189).
  	This is needed if max-image-size is a floating-point number.