From: Paul Eggert Date: Thu, 23 Jun 2011 06:31:41 +0000 (-0700) Subject: * macros.c: Integer and buffer overflow fixes. X-Git-Tag: emacs-pretest-24.0.90~104^2~152^2~432 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=6d84508d181fec22ef538b5a6ba7e2072d1de8e7;p=emacs.git * macros.c: Integer and buffer overflow fixes. * keyboard.h (struct keyboard.kbd_macro_bufsize): * macros.c (Fstart_kbd_macro, store_kbd_macro_char): Use ptrdiff_t, not int, for sizes. Don't increment bufsize until after realloc succeeds. Check for size-calculation overflow. (Fstart_kbd_macro): Use EMACS_INT, not int, for XINT result. --- diff --git a/src/ChangeLog b/src/ChangeLog index 1e9cf82d1ac..c3eaaa4ff2d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,13 @@ 2011-06-23 Paul Eggert + * macros.c: Integer and buffer overflow fixes. + * keyboard.h (struct keyboard.kbd_macro_bufsize): + * macros.c (Fstart_kbd_macro, store_kbd_macro_char): + Use ptrdiff_t, not int, for sizes. + Don't increment bufsize until after realloc succeeds. + Check for size-calculation overflow. + (Fstart_kbd_macro): Use EMACS_INT, not int, for XINT result. + * lisp.h (DEFVAR_KBOARD): Use offsetof instead of char * finagling. * lread.c: Integer overflow fixes. diff --git a/src/keyboard.h b/src/keyboard.h index 20763c35f3a..91008a3ea24 100644 --- a/src/keyboard.h +++ b/src/keyboard.h @@ -123,7 +123,7 @@ struct kboard Lisp_Object *kbd_macro_end; /* Allocated size of kbd_macro_buffer. */ - int kbd_macro_bufsize; + ptrdiff_t kbd_macro_bufsize; /* Last anonymous kbd macro defined. */ Lisp_Object KBOARD_INTERNAL_FIELD (Vlast_kbd_macro); diff --git a/src/macros.c b/src/macros.c index 3523e513d6a..ea33dbf2d2c 100644 --- a/src/macros.c +++ b/src/macros.c @@ -71,10 +71,10 @@ macro before appending to it. */) { if (current_kboard->kbd_macro_bufsize > 200) { - current_kboard->kbd_macro_bufsize = 30; current_kboard->kbd_macro_buffer = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer, 30 * sizeof (Lisp_Object)); + current_kboard->kbd_macro_bufsize = 30; } current_kboard->kbd_macro_ptr = current_kboard->kbd_macro_buffer; current_kboard->kbd_macro_end = current_kboard->kbd_macro_buffer; @@ -82,7 +82,8 @@ macro before appending to it. */) } else { - int i, len; + ptrdiff_t i; + EMACS_INT len; int cvt; /* Check the type of last-kbd-macro in case Lisp code changed it. */ @@ -94,10 +95,13 @@ macro before appending to it. */) has put another macro there. */ if (current_kboard->kbd_macro_bufsize < len + 30) { - current_kboard->kbd_macro_bufsize = len + 30; + if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (Lisp_Object) - 30 + < current_kboard->kbd_macro_bufsize) + memory_full (SIZE_MAX); current_kboard->kbd_macro_buffer = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer, (len + 30) * sizeof (Lisp_Object)); + current_kboard->kbd_macro_bufsize = len + 30; } /* Must convert meta modifier when copying string to vector. */ @@ -191,14 +195,17 @@ store_kbd_macro_char (Lisp_Object c) { if (kb->kbd_macro_ptr - kb->kbd_macro_buffer == kb->kbd_macro_bufsize) { - int ptr_offset, end_offset, nbytes; + ptrdiff_t ptr_offset, end_offset, nbytes; ptr_offset = kb->kbd_macro_ptr - kb->kbd_macro_buffer; end_offset = kb->kbd_macro_end - kb->kbd_macro_buffer; - kb->kbd_macro_bufsize *= 2; - nbytes = kb->kbd_macro_bufsize * sizeof *kb->kbd_macro_buffer; + if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *kb->kbd_macro_buffer / 2 + < kb->kbd_macro_bufsize) + memory_full (SIZE_MAX); + nbytes = kb->kbd_macro_bufsize * 2 * sizeof *kb->kbd_macro_buffer; kb->kbd_macro_buffer = (Lisp_Object *) xrealloc (kb->kbd_macro_buffer, nbytes); + kb->kbd_macro_bufsize *= 2; kb->kbd_macro_ptr = kb->kbd_macro_buffer + ptr_offset; kb->kbd_macro_end = kb->kbd_macro_buffer + end_offset; }