From 20270765bee11c46dc5a16ccca169751ce4e89ea Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 22 Jun 2011 22:41:40 -0700
Subject: [PATCH] * lread.c (read1): Check for size overflow.

---
 src/ChangeLog | 1 +
 src/lread.c   | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/src/ChangeLog b/src/ChangeLog
index 6cf45e5d2aa..1e9cf82d1ac 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -13,6 +13,7 @@
 	(substitute_object_recurse, read_vector, read_list, map_obarray):
 	Use ptrdiff_t, not int, for sizes.
 	(read1): Use EMACS_INT, not int, for sizes.
+	Check for size overflow.
 
 	* image.c (cache_image): Check for size arithmetic overflow.
 
diff --git a/src/lread.c b/src/lread.c
index 18569df554b..06b957cf392 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2869,6 +2869,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
 	    if (end - p < MAX_MULTIBYTE_LENGTH)
 	      {
 		ptrdiff_t offset = p - read_buffer;
+		if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
+		  memory_full (SIZE_MAX);
 		read_buffer = (char *) xrealloc (read_buffer,
 						 read_buffer_size *= 2);
 		p = read_buffer + offset;
@@ -3012,6 +3014,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
 	      if (end - p < MAX_MULTIBYTE_LENGTH)
 		{
 		  ptrdiff_t offset = p - read_buffer;
+		  if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
+		    memory_full (SIZE_MAX);
 		  read_buffer = (char *) xrealloc (read_buffer,
 						   read_buffer_size *= 2);
 		  p = read_buffer + offset;
@@ -3039,6 +3043,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
 	  if (p == end)
 	    {
 	      ptrdiff_t offset = p - read_buffer;
+	      if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
+		memory_full (SIZE_MAX);
 	      read_buffer = (char *) xrealloc (read_buffer,
 					       read_buffer_size *= 2);
 	      p = read_buffer + offset;
-- 
2.39.2