From 2c6a9faaaebb2fca42c4f020865c7c077864cad8 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 27 Sep 2011 08:58:20 -0700
Subject: [PATCH] * coding.c: Integer and buffer overflow fixes.

(Funencodable_char_position, Fcheck_coding_systems_region)
(get_translation, handle_composition_annotation, consume_chars):
Use ptrdiff_t, not int, to avoid needless 32-bit limit on 64-bit hosts.
(consume_chars): Rewrite to avoid calculating an address outside buffer.
---
 src/ChangeLog |  4 +++-
 src/coding.c  | 10 +++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 696123c6c1d..a273fd6ece0 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -167,8 +167,10 @@
 	Don't assume fixnums fit in int.
 	(decode_coding_gap, decode_coding_object, encode_coding_object)
 	(Fread_coding_system, Fdetect_coding_region)
-	(Funencodable_char_position, Fcheck_coding_systems_region):
+	(Funencodable_char_position, Fcheck_coding_systems_region)
+	(get_translation, handle_composition_annotation, consume_chars):
 	Use ptrdiff_t, not int, to avoid needless 32-bit limit on 64-bit hosts.
+	(consume_chars): Rewrite to avoid calculating an address outside buffer.
 	(Ffind_operation_coding_system): NATNUMP can eval its arg twice.
 	(Fdefine_coding_system_internal): Check for charset-id overflow.
 	(ENCODE_ISO_CHARACTER): Use unsigned, not int, to store the unsigned
diff --git a/src/coding.c b/src/coding.c
index 44506476794..25ac0e9764c 100644
--- a/src/coding.c
+++ b/src/coding.c
@@ -6613,8 +6613,8 @@ get_translation (Lisp_Object trans, int *buf, int *buf_end)
     {
       Lisp_Object val = XCAR (trans);
       Lisp_Object from = XCAR (val);
-      int len = ASIZE (from);
-      int i;
+      ptrdiff_t len = ASIZE (from);
+      ptrdiff_t i;
 
       for (i = 0; i < len; i++)
 	{
@@ -7132,7 +7132,7 @@ handle_composition_annotation (ptrdiff_t pos, ptrdiff_t limit,
 	  if (method != COMPOSITION_RELATIVE)
 	    {
 	      Lisp_Object components;
-	      int len, i, i_byte;
+	      ptrdiff_t i, len, i_byte;
 
 	      components = COMPOSITION_COMPONENTS (prop);
 	      if (VECTORP (components))
@@ -7303,7 +7303,7 @@ consume_chars (struct coding_system *coding, Lisp_Object translation_table,
 	*buf++ = c;
       else
 	{
-	  int from_nchars = 1, to_nchars = 1;
+	  ptrdiff_t from_nchars = 1, to_nchars = 1;
 	  int *lookup_buf_end;
 	  const unsigned char *p = src;
 	  int i;
@@ -7324,7 +7324,7 @@ consume_chars (struct coding_system *coding, Lisp_Object translation_table,
 	      else
 		{
 		  to_nchars = ASIZE (trans);
-		  if (buf + to_nchars > buf_end)
+		  if (buf_end - buf < to_nchars)
 		    break;
 		  c = XINT (AREF (trans, 0));
 		}
-- 
2.39.2