From: Paul Eggert Date: Thu, 28 Jul 2011 21:38:23 +0000 (-0700) Subject: * emacs.c (main, sort_args): Check for size-calculation overflow. X-Git-Tag: emacs-pretest-24.0.90~104^2~152^2~120 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=b4fb63147af14661b28c59d07987f8306deb5ed1;p=emacs.git * emacs.c (main, sort_args): Check for size-calculation overflow. --- diff --git a/src/ChangeLog b/src/ChangeLog index b823dd54498..52f1a76e54c 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,7 @@ 2011-07-28 Paul Eggert + * emacs.c (main, sort_args): Check for size-calculation overflow. + * editfns.c: Integer and memory overflow fixes. (set_time_zone_rule): Don't assume environment length fits in int. (message_length): Now ptrdiff_t, not int. diff --git a/src/emacs.c b/src/emacs.c index 39870ec0079..4de567a5588 100644 --- a/src/emacs.c +++ b/src/emacs.c @@ -1360,9 +1360,12 @@ Using an Emacs configured with --with-x-toolkit=lucid does not have this problem This requires inserting a new element into argv. */ if (displayname != 0 && skip_args - count_before == 1) { - char **new = (char **) xmalloc (sizeof (char *) * (argc + 2)); + char **new; int j; + if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (char *) - 2 < argc) + memory_full (SIZE_MAX); + new = (char **) xmalloc (sizeof *new * argc + sizeof *new * 2); for (j = 0; j < count_before + 1; j++) new[j] = argv[j]; new[count_before + 1] = (char *) "-d"; @@ -1838,13 +1841,19 @@ sort_args (int argc, char **argv) 0 for an option that takes no arguments, 1 for an option that takes one argument, etc. -1 for an ordinary non-option argument. */ - int *options = (int *) xmalloc (sizeof (int) * argc); - int *priority = (int *) xmalloc (sizeof (int) * argc); + int *options; + int *priority; int to = 1; int incoming_used = 1; int from; int i; + if (sizeof (char *) < sizeof (int) + && min (PTRDIFF_MAX, SIZE_MAX) / sizeof (int) < argc) + memory_full (SIZE_MAX); + options = (int *) xmalloc (sizeof (int) * argc); + priority = (int *) xmalloc (sizeof (int) * argc); + /* Categorize all the options, and figure out which argv elts are option arguments. */ for (from = 1; from < argc; from++)