From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 17 Jun 2011 08:10:34 +0000 (-0700)
Subject: * buffer.c (record_overlay_string): Check for size-calculation overflow.
X-Git-Tag: emacs-pretest-24.0.90~104^2~473^2~68
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=67c36fce599fc28e5ae3eca371d034c600265dd2;p=emacs.git

* buffer.c (record_overlay_string): Check for size-calculation overflow.

(struct sortstrlist.size, struct sortlist.used): Don't truncate size to int.
---

diff --git a/src/ChangeLog b/src/ChangeLog
index fcb6f66c279..a82ba93320a 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -3,7 +3,10 @@
 	* buffer.c (struct sortvec.priority, struct sortstr.priority):
 	Now EMACS_INT, not int.
 	(compare_overlays, cmp_for_strings): Avoid subtraction overflow.
-	(struct sortstr.size, record_overlay_string): Don't truncate size to int.
+	(struct sortstr.size, record_overlay_string)
+	(struct sortstrlist.size, struct sortlist.used):
+	Don't truncate size to int.
+	(record_overlay_string): Check for size-calculation overflow.
 
 2011-06-16  Paul Eggert  <eggert@cs.ucla.edu>
 
diff --git a/src/buffer.c b/src/buffer.c
index 90a10ec2a34..93f739c0d4b 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2933,8 +2933,8 @@ struct sortstr
 struct sortstrlist
 {
   struct sortstr *buf;	/* An array that expands as needed; never freed.  */
-  int size;		/* Allocated length of that array.  */
-  int used;		/* How much of the array is currently in use.  */
+  ptrdiff_t size;	/* Allocated length of that array.  */
+  ptrdiff_t used;	/* How much of the array is currently in use.  */
   EMACS_INT bytes;		/* Total length of the strings in buf.  */
 };
 
@@ -2969,7 +2969,10 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
 
   if (ssl->used == ssl->size)
     {
-      if (ssl->buf)
+      if (min (PTRDIFF_MAX, SIZE_MAX) / (sizeof (struct sortstr) * 2)
+	  < ssl->size)
+	memory_full (SIZE_MAX);
+      else if (0 < ssl->size)
 	ssl->size *= 2;
       else
 	ssl->size = 5;