From 3256efcee3a7c3bf63e62666715455e834d19ea0 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 28 Jul 2011 22:12:49 -0700 Subject: [PATCH] * xterm.c: Integer and memory overflow issues. (x_color_cells, handle_one_xevent, x_term_init): Check for size calculation overflow. (x_color_cells): Don't store size until memory allocation succeeds. (handle_one_xevent): Use ptrdiff_t, not int, for byte counts. (x_term_init): Don't assume length fits in int (sprintf is limited to int size). --- src/ChangeLog | 8 ++++++++ src/xterm.c | 30 ++++++++++++++++++++---------- 2 files changed, 28 insertions(+), 10 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 1f288a48f2f..b005b461ed4 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,13 @@ 2011-07-29 Paul Eggert + * xterm.c: Integer and memory overflow issues. + (x_color_cells, handle_one_xevent, x_term_init): + Check for size calculation overflow. + (x_color_cells): Don't store size until memory allocation succeeds. + (handle_one_xevent): Use ptrdiff_t, not int, for byte counts. + (x_term_init): Don't assume length fits in int (sprintf is limited + to int size). + * xsmfns.c (smc_save_yourself_CB): Check for size calc overflow. * xselect.c: Integer and memory overflow issues. diff --git a/src/xterm.c b/src/xterm.c index 5b6ddbb8ddf..4ef0061dba6 100644 --- a/src/xterm.c +++ b/src/xterm.c @@ -1625,19 +1625,21 @@ x_color_cells (Display *dpy, int *ncells) if (dpyinfo->color_cells == NULL) { Screen *screen = dpyinfo->screen; + int ncolor_cells = XDisplayCells (dpy, XScreenNumberOfScreen (screen)); int i; - dpyinfo->ncolor_cells - = XDisplayCells (dpy, XScreenNumberOfScreen (screen)); + if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (XColor) < ncolor_cells) + memory_full (SIZE_MAX); dpyinfo->color_cells - = (XColor *) xmalloc (dpyinfo->ncolor_cells + = (XColor *) xmalloc (ncolor_cells * sizeof *dpyinfo->color_cells); + dpyinfo->ncolor_cells = ncolor_cells; - for (i = 0; i < dpyinfo->ncolor_cells; ++i) + for (i = 0; i < ncolor_cells; ++i) dpyinfo->color_cells[i].pixel = i; XQueryColors (dpy, dpyinfo->cmap, - dpyinfo->color_cells, dpyinfo->ncolor_cells); + dpyinfo->color_cells, ncolor_cells); } *ncells = dpyinfo->ncolor_cells; @@ -5817,7 +5819,7 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr, } inev; int count = 0; int do_help = 0; - int nbytes = 0; + ptrdiff_t nbytes = 0; struct frame *f = NULL; struct coding_system coding; XEvent event = *eventptr; @@ -6515,7 +6517,7 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr, } { /* Raw bytes, not keysym. */ - register int i; + ptrdiff_t i; int nchars, len; for (i = 0, nchars = 0; i < nbytes; i++) @@ -6528,7 +6530,11 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr, if (nchars < nbytes) { /* Decode the input data. */ - int require; + ptrdiff_t require; + + if (min (PTRDIFF_MAX, SIZE_MAX) / MAX_MULTIBYTE_LENGTH + < nbytes) + memory_full (SIZE_MAX); /* The input should be decoded with `coding_system' which depends on which X*LookupString function @@ -9826,6 +9832,7 @@ x_term_init (Lisp_Object display_name, char *xrm_option, char *resource_name) struct x_display_info *dpyinfo; XrmDatabase xrdb; Mouse_HLInfo *hlinfo; + ptrdiff_t lim; BLOCK_INPUT; @@ -10044,12 +10051,15 @@ x_term_init (Lisp_Object display_name, char *xrm_option, char *resource_name) XSetAfterFunction (x_current_display, x_trace_wire); #endif /* ! 0 */ + lim = min (PTRDIFF_MAX, SIZE_MAX) - sizeof "@"; + if (lim - SBYTES (Vinvocation_name) < SBYTES (Vsystem_name)) + memory_full (SIZE_MAX); dpyinfo->x_id_name = (char *) xmalloc (SBYTES (Vinvocation_name) + SBYTES (Vsystem_name) + 2); - sprintf (dpyinfo->x_id_name, "%s@%s", - SSDATA (Vinvocation_name), SSDATA (Vsystem_name)); + strcat (strcat (strcpy (dpyinfo->x_id_name, SSDATA (Vinvocation_name)), "@"), + SSDATA (Vsystem_name)); /* Figure out which modifier bits mean what. */ x_find_modifier_meanings (dpyinfo); -- 2.39.2