From: Paul Eggert Date: Sun, 17 Jul 2011 20:56:13 +0000 (-0700) Subject: * xterm.c: don't go over XClientMessageEvent limit X-Git-Tag: emacs-pretest-24.0.90~104^2~152^2~142 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=50849c52f8cf342b81c1db12b13f866ec6c049fc;p=emacs.git * xterm.c: don't go over XClientMessageEvent limit (scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed. (x_send_scroll_bar_event): Likewise. Check that the size does not exceed limits imposed by XClientMessageEvent, as well as the usual ptrdiff_t and size_t limits. --- diff --git a/src/ChangeLog b/src/ChangeLog index 32a117ed767..940beee887d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,11 @@ 2011-07-17 Paul Eggert + * xterm.c: don't go over XClientMessageEvent limit + (scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed. + (x_send_scroll_bar_event): Likewise. Check that the size does not + exceed limits imposed by XClientMessageEvent, as well as the usual + ptrdiff_t and size_t limits. + * keyboard.c: Overflow, signedness and related fixes. (make_lispy_movement): Use same integer type in forward decl that is used in the definition. diff --git a/src/xterm.c b/src/xterm.c index 20516ee9d6f..5b6ddbb8ddf 100644 --- a/src/xterm.c +++ b/src/xterm.c @@ -4190,7 +4190,7 @@ xt_action_hook (Widget widget, XtPointer client_data, String action_name, x_send_scroll_bar_event and x_scroll_bar_to_input_event. */ static struct window **scroll_bar_windows; -static size_t scroll_bar_windows_size; +static ptrdiff_t scroll_bar_windows_size; /* Send a client message with message type Xatom_Scrollbar for a @@ -4205,7 +4205,7 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole) XClientMessageEvent *ev = (XClientMessageEvent *) &event; struct window *w = XWINDOW (window); struct frame *f = XFRAME (w->frame); - size_t i; + ptrdiff_t i; BLOCK_INPUT; @@ -4226,12 +4226,16 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole) if (i == scroll_bar_windows_size) { - size_t new_size = max (10, 2 * scroll_bar_windows_size); - size_t nbytes = new_size * sizeof *scroll_bar_windows; - size_t old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows; - - if ((size_t) -1 / sizeof *scroll_bar_windows < new_size) + ptrdiff_t new_size, old_nbytes, nbytes; + /* Check the 32-bit XClientMessageEvent limit, as well as the + usual ptrdiff_t/size_t limit. */ + if (min (0x7fffffff, + min (PTRDIFF_MAX, SIZE_MAX) / sizeof *scroll_bar_windows / 2) + < scroll_bar_windows_size) memory_full (SIZE_MAX); + new_size = max (10, 2 * scroll_bar_windows_size); + nbytes = new_size * sizeof *scroll_bar_windows; + old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows; scroll_bar_windows = (struct window **) xrealloc (scroll_bar_windows, nbytes); memset (&scroll_bar_windows[i], 0, nbytes - old_nbytes);