From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 28 Jan 2025 01:13:02 +0000 (-0800)
Subject: Make vmessage a bit safer
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=91de1fb5c3c1bca627d067ed0e5a7fafa2db8dd6;p=emacs.git

Make vmessage a bit safer

* src/xdisp.c (vmessage): Avoid undefined behavior if
FRAME_MESSAGE_BUF_SIZE (f) is zero, or if doprnt generates output
containing only encoding errors.  Although it’s not clear whether
either is possible, it is better to be safe.  Also, clarify via a
new local message_bufsize.

(cherry picked from commit 8e7588a2675655b88dc3ac5b7ed46ab6f1b891ec)
---

diff --git a/src/xdisp.c b/src/xdisp.c
index fac1d53ff12..0e1311d1db8 100644
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -12586,17 +12586,18 @@ vmessage (const char *m, va_list ap)
 	    {
 	      ptrdiff_t len;
 	      ptrdiff_t maxsize = FRAME_MESSAGE_BUF_SIZE (f);
+	      ptrdiff_t message_bufsize = maxsize + MAX_MULTIBYTE_LENGTH;
 	      USE_SAFE_ALLOCA;
-	      char *message_buf = SAFE_ALLOCA (maxsize + MAX_MULTIBYTE_LENGTH);
+	      char *message_buf = SAFE_ALLOCA (message_bufsize);
 
-	      len = doprnt (message_buf, maxsize + MAX_MULTIBYTE_LENGTH, m, 0, ap);
+	      len = doprnt (message_buf, message_bufsize, m, 0, ap);
 	      /* doprnt returns the buffer size minus one when it
 		 truncated a multibyte sequence.  Work around that by
 		 truncating to the last valid multibyte head.  */
-	      if (len >= maxsize)
+	      if (0 < maxsize && maxsize <= len)
 		{
 		  len = maxsize - 1;
-		  while (!CHAR_HEAD_P (message_buf[len]))
+		  while (0 < len && !CHAR_HEAD_P (message_buf[len]))
 		    len--;
 		  message_buf[len] = 0;
 		}