From b8898fdae2fd08ca3406c47a18de3465dd1a4a39 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 28 Jul 2011 14:49:16 -0700 Subject: [PATCH] * frame.c: Integer overflow fixes. (set_menu_bar_lines, x_set_frame_parameters, x_set_scroll_bar_width) (x_figure_window_size): Check for integer overflow. (x_set_alpha): Do not assume XINT fits in int. --- src/ChangeLog | 5 +++++ src/frame.c | 38 ++++++++++++++++++++------------------ 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 7a7c8c14407..c46eec626bd 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,10 @@ 2011-07-28 Paul Eggert + * frame.c: Integer overflow fixes. + (set_menu_bar_lines, x_set_frame_parameters, x_set_scroll_bar_width) + (x_figure_window_size): Check for integer overflow. + (x_set_alpha): Do not assume XINT fits in int. + * eval.c: Integer and memory overflow fixes. (init_eval_once, grow_specpdl): Don't update size until alloc succeeds. (call_debugger, grow_specpdl): Redo calculations to avoid overflow. diff --git a/src/frame.c b/src/frame.c index 635996ca424..ca3ca49577c 100644 --- a/src/frame.c +++ b/src/frame.c @@ -160,7 +160,7 @@ set_menu_bar_lines (struct frame *f, Lisp_Object value, Lisp_Object oldval) if (FRAME_MINIBUF_ONLY_P (f)) return; - if (INTEGERP (value)) + if (TYPE_RANGED_INTEGERP (int, value)) nlines = XINT (value); else nlines = 0; @@ -2994,7 +2994,7 @@ x_set_frame_parameters (FRAME_PTR f, Lisp_Object alist) f->size_hint_flags &= ~ (XNegative | YNegative); if (EQ (left, Qminus)) f->size_hint_flags |= XNegative; - else if (INTEGERP (left)) + else if (TYPE_RANGED_INTEGERP (int, left)) { leftpos = XINT (left); if (leftpos < 0) @@ -3002,21 +3002,21 @@ x_set_frame_parameters (FRAME_PTR f, Lisp_Object alist) } else if (CONSP (left) && EQ (XCAR (left), Qminus) && CONSP (XCDR (left)) - && INTEGERP (XCAR (XCDR (left)))) + && RANGED_INTEGERP (-INT_MAX, XCAR (XCDR (left)), INT_MAX)) { leftpos = - XINT (XCAR (XCDR (left))); f->size_hint_flags |= XNegative; } else if (CONSP (left) && EQ (XCAR (left), Qplus) && CONSP (XCDR (left)) - && INTEGERP (XCAR (XCDR (left)))) + && TYPE_RANGED_INTEGERP (int, XCAR (XCDR (left)))) { leftpos = XINT (XCAR (XCDR (left))); } if (EQ (top, Qminus)) f->size_hint_flags |= YNegative; - else if (INTEGERP (top)) + else if (TYPE_RANGED_INTEGERP (int, top)) { toppos = XINT (top); if (toppos < 0) @@ -3024,14 +3024,14 @@ x_set_frame_parameters (FRAME_PTR f, Lisp_Object alist) } else if (CONSP (top) && EQ (XCAR (top), Qminus) && CONSP (XCDR (top)) - && INTEGERP (XCAR (XCDR (top)))) + && RANGED_INTEGERP (-INT_MAX, XCAR (XCDR (top)), INT_MAX)) { toppos = - XINT (XCAR (XCDR (top))); f->size_hint_flags |= YNegative; } else if (CONSP (top) && EQ (XCAR (top), Qplus) && CONSP (XCDR (top)) - && INTEGERP (XCAR (XCDR (top)))) + && TYPE_RANGED_INTEGERP (int, XCAR (XCDR (top)))) { toppos = XINT (XCAR (XCDR (top))); } @@ -3483,7 +3483,7 @@ x_set_scroll_bar_width (struct frame *f, Lisp_Object arg, Lisp_Object oldval) x_set_window_size (f, 0, FRAME_COLS (f), FRAME_LINES (f)); do_pending_window_change (0); } - else if (INTEGERP (arg) && XINT (arg) > 0 + else if (RANGED_INTEGERP (1, arg, INT_MAX) && XFASTINT (arg) != FRAME_CONFIG_SCROLL_BAR_WIDTH (f)) { if (XFASTINT (arg) <= 2 * VERTICAL_SCROLL_BAR_WIDTH_TRIM) @@ -3522,7 +3522,7 @@ x_set_alpha (struct frame *f, Lisp_Object arg, Lisp_Object oldval) { double alpha = 1.0; double newval[2]; - int i, ialpha; + int i; Lisp_Object item; for (i = 0; i < 2; i++) @@ -3546,7 +3546,7 @@ x_set_alpha (struct frame *f, Lisp_Object arg, Lisp_Object oldval) } else if (INTEGERP (item)) { - ialpha = XINT (item); + EMACS_INT ialpha = XINT (item); if (ialpha < 0 || 100 < ialpha) args_out_of_range (make_number (0), make_number (100)); else @@ -4033,11 +4033,15 @@ x_figure_window_size (struct frame *f, Lisp_Object parms, int toolbar_p) if (!EQ (tem0, Qunbound)) { CHECK_NUMBER (tem0); + if (! (0 <= XINT (tem0) && XINT (tem0) <= INT_MAX)) + xsignal1 (Qargs_out_of_range, tem0); FRAME_LINES (f) = XINT (tem0); } if (!EQ (tem1, Qunbound)) { CHECK_NUMBER (tem1); + if (! (0 <= XINT (tem1) && XINT (tem1) <= INT_MAX)) + xsignal1 (Qargs_out_of_range, tem1); SET_FRAME_COLS (f, XINT (tem1)); } if (!NILP (tem2) && !EQ (tem2, Qunbound)) @@ -4068,12 +4072,10 @@ x_figure_window_size (struct frame *f, Lisp_Object parms, int toolbar_p) ? tool_bar_button_relief : DEFAULT_TOOL_BAR_BUTTON_RELIEF); - if (INTEGERP (Vtool_bar_button_margin) - && XINT (Vtool_bar_button_margin) > 0) + if (RANGED_INTEGERP (1, Vtool_bar_button_margin, INT_MAX)) margin = XFASTINT (Vtool_bar_button_margin); else if (CONSP (Vtool_bar_button_margin) - && INTEGERP (XCDR (Vtool_bar_button_margin)) - && XINT (XCDR (Vtool_bar_button_margin)) > 0) + && RANGED_INTEGERP (1, XCDR (Vtool_bar_button_margin), INT_MAX)) margin = XFASTINT (XCDR (Vtool_bar_button_margin)); else margin = 0; @@ -4099,14 +4101,14 @@ x_figure_window_size (struct frame *f, Lisp_Object parms, int toolbar_p) } else if (CONSP (tem0) && EQ (XCAR (tem0), Qminus) && CONSP (XCDR (tem0)) - && INTEGERP (XCAR (XCDR (tem0)))) + && RANGED_INTEGERP (-INT_MAX, XCAR (XCDR (tem0)), INT_MAX)) { f->top_pos = - XINT (XCAR (XCDR (tem0))); window_prompting |= YNegative; } else if (CONSP (tem0) && EQ (XCAR (tem0), Qplus) && CONSP (XCDR (tem0)) - && INTEGERP (XCAR (XCDR (tem0)))) + && TYPE_RANGED_INTEGERP (int, XCAR (XCDR (tem0)))) { f->top_pos = XINT (XCAR (XCDR (tem0))); } @@ -4127,14 +4129,14 @@ x_figure_window_size (struct frame *f, Lisp_Object parms, int toolbar_p) } else if (CONSP (tem1) && EQ (XCAR (tem1), Qminus) && CONSP (XCDR (tem1)) - && INTEGERP (XCAR (XCDR (tem1)))) + && RANGED_INTEGERP (-INT_MAX, XCAR (XCDR (tem1)), INT_MAX)) { f->left_pos = - XINT (XCAR (XCDR (tem1))); window_prompting |= XNegative; } else if (CONSP (tem1) && EQ (XCAR (tem1), Qplus) && CONSP (XCDR (tem1)) - && INTEGERP (XCAR (XCDR (tem1)))) + && TYPE_RANGED_INTEGERP (int, XCAR (XCDR (tem1)))) { f->left_pos = XINT (XCAR (XCDR (tem1))); } -- 2.39.2