From a3d9c2a4ce11ea001c9ac97c8a6fb9a4f9a1d1ac Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 28 Jul 2011 18:59:57 -0700
Subject: [PATCH] * xrdb.c: Integer and memory overflow issues.

(magic_file_p): Plug memory leak on size overflow.
(get_environ_db): Don't assume path length fits in int,
as sprintf is limited to int lengths.
---
 src/ChangeLog |  5 +++++
 src/xrdb.c    | 21 +++++++++++----------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index b5c5afd7a1e..09ee5a8e4dc 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,10 @@
 2011-07-29  Paul Eggert  <eggert@cs.ucla.edu>
 
+	* xrdb.c: Integer and memory overflow issues.
+	(magic_file_p): Plug memory leak on size overflow.
+	(get_environ_db): Don't assume path length fits in int,
+	as sprintf is limited to int lengths.
+
 	* xgselect.c (xg_select): Check for size calculation overflow.
 	Don't update size until alloc done.
 
diff --git a/src/xrdb.c b/src/xrdb.c
index 6a16e3260bd..7c2cd586b09 100644
--- a/src/xrdb.c
+++ b/src/xrdb.c
@@ -204,7 +204,10 @@ magic_file_p (const char *string, EMACS_INT string_len, const char *class,
       if (path_size - path_len <= next_len)
 	{
 	  if (min (PTRDIFF_MAX, SIZE_MAX) / 2 - 1 - path_len < next_len)
-	    memory_full (SIZE_MAX);
+	    {
+	      xfree (path);
+	      memory_full (SIZE_MAX);
+	    }
 	  path_size = (path_len + next_len + 1) * 2;
 	  path = (char *) xrealloc (path, path_size);
 	}
@@ -426,24 +429,22 @@ get_environ_db (void)
 {
   XrmDatabase db;
   char *p;
-  char *path = 0, *home = 0;
-  const char *host;
+  char *path = 0;
 
   if ((p = getenv ("XENVIRONMENT")) == NULL)
     {
-      home = gethomedir ();
-      host = get_system_name ();
-      path = (char *) xmalloc (strlen (home)
-			      + sizeof (".Xdefaults-")
-			      + strlen (host));
-      sprintf (path, "%s%s%s", home, ".Xdefaults-", host);
+      static char const xdefaults[] = ".Xdefaults-";
+      char *home = gethomedir ();
+      char const *host = get_system_name ();
+      ptrdiff_t pathsize = strlen (home) + sizeof xdefaults + strlen (host);
+      path = (char *) xrealloc (home, pathsize);
+      strcat (strcat (path, xdefaults), host);
       p = path;
     }
 
   db = XrmGetFileDatabase (p);
 
   xfree (path);
-  xfree (home);
 
   return db;
 }
-- 
2.39.2