From a37c69bff68c15220b7f737a721ff7e1d3291b9e Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sat, 2 Apr 2011 00:40:13 -0700
Subject: [PATCH] * minibuf.c (read_minibuf_noninteractive): Use size_t for
 sizes.

Check for integer overflow on size calculations.
---
 src/ChangeLog | 3 +++
 src/minibuf.c | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index a470962d74d..73be884837f 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,8 @@
 2011-04-02  Paul Eggert  <eggert@cs.ucla.edu>
 
+	* minibuf.c (read_minibuf_noninteractive): Use size_t for sizes.
+	Check for integer overflow on size calculations.
+
 	* buffer.c (Fprevious_overlay_change): Remove var that is set
 	but not used.
 
diff --git a/src/minibuf.c b/src/minibuf.c
index 4adf665f8f4..54cb9c1acd7 100644
--- a/src/minibuf.c
+++ b/src/minibuf.c
@@ -229,7 +229,7 @@ read_minibuf_noninteractive (Lisp_Object map, Lisp_Object initial,
 			     Lisp_Object defalt,
 			     int allow_props, int inherit_input_method)
 {
-  int size, len;
+  size_t size, len;
   char *line, *s;
   Lisp_Object val;
 
@@ -244,6 +244,8 @@ read_minibuf_noninteractive (Lisp_Object map, Lisp_Object initial,
 	 && (len = strlen (line),
 	     len == size - 1 && line[len - 1] != '\n'))
     {
+      if ((size_t) -1 / 2 < size)
+	memory_full ();
       size *= 2;
       line = (char *) xrealloc (line, size);
     }
-- 
2.39.2