From 1ffd9c92ea38e078ec6cde6277c7ce88895212df Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 28 Jul 2011 16:51:50 -0700
Subject: [PATCH] * ftfont.c: Check for size overflow.

(ftfont_get_open_type_spec, setup_otf_gstring, ftfont_shape_by_flt):
Check for integer overflow in size calculations.
---
 src/ChangeLog |  4 ++++
 src/ftfont.c  | 15 ++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 058c250a330..84d7bf4cb48 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,9 @@
 2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
 
+	* ftfont.c: Check for size overflow.
+	(ftfont_get_open_type_spec, setup_otf_gstring, ftfont_shape_by_flt):
+	Check for integer overflow in size calculations.
+
 	* fringe.c (Fdefine_fringe_bitmap): Don't update size until alloc works.
 
 	* frame.h (struct frame): Use int, not EMACS_INT, where int works.
diff --git a/src/ftfont.c b/src/ftfont.c
index 4e313a89021..551006eef94 100644
--- a/src/ftfont.c
+++ b/src/ftfont.c
@@ -682,7 +682,10 @@ ftfont_get_open_type_spec (Lisp_Object otf_spec)
       if (NILP (val))
 	continue;
       len = Flength (val);
-      spec->features[i] = malloc (sizeof (int) * XINT (len));
+      spec->features[i] =
+	(min (PTRDIFF_MAX, SIZE_MAX) / sizeof (int) < XINT (len)
+	 ? 0
+	 : malloc (sizeof (int) * XINT (len)));
       if (! spec->features[i])
 	{
 	  if (i > 0 && spec->features[0])
@@ -1761,6 +1764,9 @@ static OTF_GlyphString otf_gstring;
 static void
 setup_otf_gstring (int size)
 {
+  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (OTF_Glyph) < size)
+    memory_full (SIZE_MAX);
+
   if (otf_gstring.size == 0)
     {
       otf_gstring.glyphs = (OTF_Glyph *) xmalloc (sizeof (OTF_Glyph) * size);
@@ -2390,6 +2396,8 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
   struct MFLTFontFT flt_font_ft;
   MFLT *flt = NULL;
   int with_variation_selector = 0;
+  int allocated_max = min (INT_MAX,
+			   min (PTRDIFF_MAX, SIZE_MAX) / sizeof (MFLTGlyph));
 
   if (! m17n_flt_initialized)
     {
@@ -2445,6 +2453,9 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
 	}
     }
 
+  if (allocated_max / 2 < len)
+    memory_full (SIZE_MAX);
+
   if (gstring.allocated == 0)
     {
       gstring.allocated = len * 2;
@@ -2504,6 +2515,8 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
       int result = mflt_run (&gstring, 0, len, &flt_font_ft.flt_font, flt);
       if (result != -2)
 	break;
+      if (allocated_max / 2 < gstring.allocated)
+	memory_full (SIZE_MAX);
       gstring.allocated += gstring.allocated;
       gstring.glyphs = xrealloc (gstring.glyphs,
 				 sizeof (MFLTGlyph) * gstring.allocated);
-- 
2.39.2