From 91de1fb5c3c1bca627d067ed0e5a7fafa2db8dd6 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 27 Jan 2025 17:13:02 -0800 Subject: [PATCH] Make vmessage a bit safer MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * src/xdisp.c (vmessage): Avoid undefined behavior if FRAME_MESSAGE_BUF_SIZE (f) is zero, or if doprnt generates output containing only encoding errors. Although it’s not clear whether either is possible, it is better to be safe. Also, clarify via a new local message_bufsize. (cherry picked from commit 8e7588a2675655b88dc3ac5b7ed46ab6f1b891ec) --- src/xdisp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/xdisp.c b/src/xdisp.c index fac1d53ff12..0e1311d1db8 100644 --- a/src/xdisp.c +++ b/src/xdisp.c @@ -12586,17 +12586,18 @@ vmessage (const char *m, va_list ap) { ptrdiff_t len; ptrdiff_t maxsize = FRAME_MESSAGE_BUF_SIZE (f); + ptrdiff_t message_bufsize = maxsize + MAX_MULTIBYTE_LENGTH; USE_SAFE_ALLOCA; - char *message_buf = SAFE_ALLOCA (maxsize + MAX_MULTIBYTE_LENGTH); + char *message_buf = SAFE_ALLOCA (message_bufsize); - len = doprnt (message_buf, maxsize + MAX_MULTIBYTE_LENGTH, m, 0, ap); + len = doprnt (message_buf, message_bufsize, m, 0, ap); /* doprnt returns the buffer size minus one when it truncated a multibyte sequence. Work around that by truncating to the last valid multibyte head. */ - if (len >= maxsize) + if (0 < maxsize && maxsize <= len) { len = maxsize - 1; - while (!CHAR_HEAD_P (message_buf[len])) + while (0 < len && !CHAR_HEAD_P (message_buf[len])) len--; message_buf[len] = 0; } -- 2.39.5