From 1d5689025c709551296684432b04d1ad39e90c71 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 28 Jul 2011 18:11:37 -0700
Subject: [PATCH] * scroll.c: Integer and memory overflow fixes.

(do_line_insertion_deletion_costs): Check for size calculation overflow.
Don't bother calling xmalloc when xrealloc will do.
---
 src/ChangeLog |  4 ++++
 src/scroll.c  | 41 +++++++++++++++--------------------------
 2 files changed, 19 insertions(+), 26 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 662d03aaf3d..a80c370e0ad 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,9 @@
 2011-07-29  Paul Eggert  <eggert@cs.ucla.edu>
 
+	* scroll.c: Integer and memory overflow fixes.
+	(do_line_insertion_deletion_costs): Check for size calculation overflow.
+	Don't bother calling xmalloc when xrealloc will do.
+
 	* region-cache.c (move_cache_gap): Check for size calculation overflow.
 
 	* process.c (Fnetwork_interface_list): Check for overflow
diff --git a/src/scroll.c b/src/scroll.c
index 6291936a541..9184919f0ce 100644
--- a/src/scroll.c
+++ b/src/scroll.c
@@ -969,32 +969,21 @@ do_line_insertion_deletion_costs (FRAME_PTR frame,
 				  const char *cleanup_string,
 				  int coefficient)
 {
-  if (FRAME_INSERT_COST (frame) != 0)
-    {
-      FRAME_INSERT_COST (frame) =
-	(int *) xrealloc (FRAME_INSERT_COST (frame),
-			  FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETEN_COST (frame) =
-	(int *) xrealloc (FRAME_DELETEN_COST (frame),
-			  FRAME_LINES (frame) * sizeof (int));
-      FRAME_INSERTN_COST (frame) =
-	(int *) xrealloc (FRAME_INSERTN_COST (frame),
-			  FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETE_COST (frame) =
-	(int *) xrealloc (FRAME_DELETE_COST (frame),
-			  FRAME_LINES (frame) * sizeof (int));
-    }
-  else
-    {
-      FRAME_INSERT_COST (frame) =
-	(int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETEN_COST (frame) =
-	(int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_INSERTN_COST (frame) =
-	(int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETE_COST (frame) =
-	(int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-    }
+  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (int) < FRAME_LINES (frame))
+    memory_full (SIZE_MAX);
+
+  FRAME_INSERT_COST (frame) =
+    (int *) xrealloc (FRAME_INSERT_COST (frame),
+		      FRAME_LINES (frame) * sizeof (int));
+  FRAME_DELETEN_COST (frame) =
+    (int *) xrealloc (FRAME_DELETEN_COST (frame),
+		      FRAME_LINES (frame) * sizeof (int));
+  FRAME_INSERTN_COST (frame) =
+    (int *) xrealloc (FRAME_INSERTN_COST (frame),
+		      FRAME_LINES (frame) * sizeof (int));
+  FRAME_DELETE_COST (frame) =
+    (int *) xrealloc (FRAME_DELETE_COST (frame),
+		      FRAME_LINES (frame) * sizeof (int));
 
   ins_del_costs (frame,
 		 ins_line_string, multi_ins_string,
-- 
2.39.2