From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sat, 8 Dec 2018 18:47:38 +0000 (-0800)
Subject: Fix integer overflow in oversize vectors
X-Git-Tag: emacs-27.0.90~4023
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=a65c0929ebd6f1980fe0f493a7d623aac63a34bd;p=emacs.git

Fix integer overflow in oversize vectors

* src/alloc.c (allocate_vector): Fix integer overflow when
allocating very large vectors, by taking large_vector_offset
into account.  Assume C99.
---

diff --git a/src/alloc.c b/src/alloc.c
index 596de3af85e..8eaa810e53a 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -3388,12 +3388,11 @@ allocate_vectorlike (ptrdiff_t len)
 struct Lisp_Vector *
 allocate_vector (EMACS_INT len)
 {
-  struct Lisp_Vector *v;
-  ptrdiff_t nbytes_max = min (PTRDIFF_MAX, SIZE_MAX);
-
-  if (min ((nbytes_max - header_size) / word_size, MOST_POSITIVE_FIXNUM) < len)
+  ptrdiff_t wordbytes_max = (min (PTRDIFF_MAX, SIZE_MAX)
+			     - header_size - large_vector_offset);
+  if (min (wordbytes_max / word_size, MOST_POSITIVE_FIXNUM) < len)
     memory_full (SIZE_MAX);
-  v = allocate_vectorlike (len);
+  struct Lisp_Vector *v = allocate_vectorlike (len);
   if (len)
     v->header.size = len;
   return v;