From 6cbf73b5f9f51b5e25b855bf9f521c1ef070dd4a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 15 Aug 2019 02:16:26 -0700
Subject: [PATCH] Fix some fixnum overflow problems in ccl.c
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

* src/ccl.c (ccl_driver, Fccl_execute, Fccl_execute_on_string):
Don’t assume CCL registers fit into fixnums.
---
 src/ccl.c | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/src/ccl.c b/src/ccl.c
index ff42c6f25fc..95054366258 100644
--- a/src/ccl.c
+++ b/src/ccl.c
@@ -1291,7 +1291,9 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 				: -1));
 		h = GET_HASH_TABLE (eop);
 
-		eop = hash_lookup (h, make_fixnum (reg[RRR]), NULL);
+		eop = (FIXNUM_OVERFLOW_P (reg[RRR])
+		       ? -1
+		       : hash_lookup (h, make_fixnum (reg[RRR]), NULL));
 		if (eop >= 0)
 		  {
 		    Lisp_Object opl;
@@ -1318,7 +1320,9 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 		i = CCL_DECODE_CHAR (reg[RRR], reg[rrr]);
 		h = GET_HASH_TABLE (eop);
 
-		eop = hash_lookup (h, make_fixnum (i), NULL);
+		eop = (FIXNUM_OVERFLOW_P (i)
+		       ? -1
+		       : hash_lookup (h, make_fixnum (i), NULL));
 		if (eop >= 0)
 		  {
 		    Lisp_Object opl;
@@ -1990,9 +1994,13 @@ programs.  */)
     error ("Length of vector REGISTERS is not 8");
 
   for (i = 0; i < 8; i++)
-    ccl.reg[i] = (TYPE_RANGED_FIXNUMP (int, AREF (reg, i))
-		  ? XFIXNUM (AREF (reg, i))
-		  : 0);
+    {
+      intmax_t n;
+      ccl.reg[i] = ((INTEGERP (AREF (reg, i))
+		     && integer_to_intmax (AREF (reg, i), &n)
+		     && INT_MIN <= n && n <= INT_MAX)
+		    ? n : 0);
+    }
 
   ccl_driver (&ccl, NULL, NULL, 0, 0, Qnil);
   maybe_quit ();
@@ -2000,7 +2008,7 @@ programs.  */)
     error ("Error in CCL program at %dth code", ccl.ic);
 
   for (i = 0; i < 8; i++)
-    ASET (reg, i, make_fixnum (ccl.reg[i]));
+    ASET (reg, i, make_int (ccl.reg[i]));
   return Qnil;
 }
 
@@ -2059,12 +2067,15 @@ usage: (ccl-execute-on-string CCL-PROGRAM STATUS STRING &optional CONTINUE UNIBY
     {
       if (NILP (AREF (status, i)))
 	ASET (status, i, make_fixnum (0));
-      if (TYPE_RANGED_FIXNUMP (int, AREF (status, i)))
-	ccl.reg[i] = XFIXNUM (AREF (status, i));
+      intmax_t n;
+      if (INTEGERP (AREF (status, i))
+	  && integer_to_intmax (AREF (status, i), &n)
+	  && INT_MIN <= n && n <= INT_MAX)
+	ccl.reg[i] = n;
     }
-  if (FIXNUMP (AREF (status, 8)))
+  intmax_t ic;
+  if (INTEGERP (AREF (status, 8)) && integer_to_intmax (AREF (status, 8), &ic))
     {
-      EMACS_INT ic = XFIXNUM (AREF (status, 8));
       if (ccl.ic < ic && ic < ccl.size)
 	ccl.ic = ic;
     }
@@ -2139,8 +2150,8 @@ usage: (ccl-execute-on-string CCL-PROGRAM STATUS STRING &optional CONTINUE UNIBY
     error ("CCL program interrupted at %dth code", ccl.ic);
 
   for (i = 0; i < 8; i++)
-    ASET (status, i, make_fixnum (ccl.reg[i]));
-  ASET (status, 8, make_fixnum (ccl.ic));
+    ASET (status, i, make_int (ccl.reg[i]));
+  ASET (status, 8, make_int (ccl.ic));
 
   val = make_specified_string ((const char *) outbuf, produced_chars,
 			       outp - outbuf, NILP (unibyte_p));
-- 
2.39.2