From a65c0929ebd6f1980fe0f493a7d623aac63a34bd Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sat, 8 Dec 2018 10:47:38 -0800
Subject: [PATCH] Fix integer overflow in oversize vectors

* src/alloc.c (allocate_vector): Fix integer overflow when
allocating very large vectors, by taking large_vector_offset
into account.  Assume C99.
---
 src/alloc.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/alloc.c b/src/alloc.c
index 596de3af85e..8eaa810e53a 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -3388,12 +3388,11 @@ allocate_vectorlike (ptrdiff_t len)
 struct Lisp_Vector *
 allocate_vector (EMACS_INT len)
 {
-  struct Lisp_Vector *v;
-  ptrdiff_t nbytes_max = min (PTRDIFF_MAX, SIZE_MAX);
-
-  if (min ((nbytes_max - header_size) / word_size, MOST_POSITIVE_FIXNUM) < len)
+  ptrdiff_t wordbytes_max = (min (PTRDIFF_MAX, SIZE_MAX)
+			     - header_size - large_vector_offset);
+  if (min (wordbytes_max / word_size, MOST_POSITIVE_FIXNUM) < len)
     memory_full (SIZE_MAX);
-  v = allocate_vectorlike (len);
+  struct Lisp_Vector *v = allocate_vectorlike (len);
   if (len)
     v->header.size = len;
   return v;
-- 
2.39.5