From 35caaf713fb3c3e5e826e52b37e1b389c6bd9cce Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 21 Jun 2017 17:18:30 -0700
Subject: [PATCH] Limit bidi_find_bracket_pairs to MAX_ALLOCA

* src/bidi.c (MAX_BPA_STACK): Now a constant, not a macro.
Shrink it to allow for the two struct bidi_it objects in
the same frame.
(PUSH_BPA_STACK): Avoid integer overflow with enormous bidi cache.
(bidi_find_bracket_pairs): Use compile-time check instead of runtime.
---
 src/bidi.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/bidi.c b/src/bidi.c
index dce0bf695f6..e34da778ba0 100644
--- a/src/bidi.c
+++ b/src/bidi.c
@@ -565,9 +565,7 @@ bidi_copy_it (struct bidi_it *to, struct bidi_it *from)
    RTL characters in the offending line of text.  */
 /* Do we need to allow customization of this limit?  */
 #define BIDI_CACHE_MAX_ELTS_PER_SLOT 50000
-#if BIDI_CACHE_CHUNK >= BIDI_CACHE_MAX_ELTS_PER_SLOT
-# error BIDI_CACHE_CHUNK must be less than BIDI_CACHE_MAX_ELTS_PER_SLOT
-#endif
+verify (BIDI_CACHE_CHUNK < BIDI_CACHE_MAX_ELTS_PER_SLOT);
 static ptrdiff_t bidi_cache_max_elts = BIDI_CACHE_MAX_ELTS_PER_SLOT;
 static struct bidi_it *bidi_cache;
 static ptrdiff_t bidi_cache_size = 0;
@@ -2468,9 +2466,11 @@ typedef struct bpa_stack_entry {
   unsigned flags : 2;
 } bpa_stack_entry;
 
-/* With MAX_ALLOCA of 16KB, this should allow at least 1K slots in the
+/* Allow for the two struct bidi_it objects too, since they can be big.
+   With MAX_ALLOCA of 16 KiB, this should allow at least 900 slots in the
    BPA stack, which should be more than enough for actual bidi text.  */
-#define MAX_BPA_STACK ((int)max (MAX_ALLOCA / sizeof (bpa_stack_entry), 1))
+enum { MAX_BPA_STACK = max (1, ((MAX_ALLOCA - 2 * sizeof (struct bidi_it))
+				/ sizeof (bpa_stack_entry))) };
 
 /* UAX#9 says to match opening brackets with the matching closing
    brackets or their canonical equivalents.  As of Unicode 8.0, there
@@ -2517,7 +2517,7 @@ typedef struct bpa_stack_entry {
 #define PUSH_BPA_STACK							\
   do {									\
     int ch;								\
-    if (bpa_sp < MAX_BPA_STACK - 1)					\
+    if (bpa_sp < MAX_BPA_STACK - 1 && bidi_cache_last_idx <= INT_MAX)	\
       {									\
 	bpa_sp++;							\
 	ch = CANONICAL_EQU (bidi_it->ch);				\
@@ -2563,7 +2563,7 @@ bidi_find_bracket_pairs (struct bidi_it *bidi_it)
       ptrdiff_t pairing_pos;
       int idx_at_entry = bidi_cache_idx;
 
-      eassert (MAX_BPA_STACK >= 100);
+      verify (MAX_BPA_STACK >= 100);
       bidi_copy_it (&saved_it, bidi_it);
       /* bidi_cache_iterator_state refuses to cache on backward scans,
 	 and bidi_cache_fetch_state doesn't bring scan_dir from the
-- 
2.39.2