From e398c61cb14ef89632fa28fe97b98c71695d6ccc Mon Sep 17 00:00:00 2001 From: Chong Yidong Date: Sat, 9 Jan 2010 17:32:47 -0500 Subject: [PATCH] Fix bounds checking for text properties in `format' (Bug#5306). * intervals.h, textprop.c (extend_property_ranges): Return value and args changed. Discard properties that begin at or after the new end (Bug#5306). * editfns.c (Fformat): Caller changed. --- src/ChangeLog | 6 ++++++ src/editfns.c | 4 ++-- src/intervals.h | 2 +- src/textprop.c | 35 ++++++++++++++++++++++++++--------- 4 files changed, 35 insertions(+), 12 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 5b69f08c733..60ea0cf622c 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,11 @@ 2010-01-09 Chong Yidong + * intervals.h, textprop.c (extend_property_ranges): Return value + and args changed. Discard properties that begin at or after the + new end (Bug#5306). + + * editfns.c (Fformat): Caller changed. + * nsterm.m (ns_set_default_prefs): Delete function. (syms_of_nsterm): Initialize ns_command_modifier, ns_control_modifier, ns_function_modifier, ns_antialias_text, and diff --git a/src/editfns.c b/src/editfns.c index cb302f7b1e7..58e13b1ed7c 100644 --- a/src/editfns.c +++ b/src/editfns.c @@ -4177,8 +4177,8 @@ usage: (format STRING &rest OBJECTS) */) len = make_number (SCHARS (args[n])); new_len = make_number (info[n].end - info[n].start); props = text_property_list (args[n], make_number (0), len, Qnil); - extend_property_ranges (props, len, new_len); - /* If successive arguments have properites, be sure that + props = extend_property_ranges (props, new_len); + /* If successive arguments have properties, be sure that the value of `composition' property be the copy. */ if (n > 1 && info[n - 1].end) make_composition_value_copy (props); diff --git a/src/intervals.h b/src/intervals.h index d1b43ee3498..59832c9664f 100644 --- a/src/intervals.h +++ b/src/intervals.h @@ -335,7 +335,7 @@ extern void set_text_properties_1 P_ ((Lisp_Object, Lisp_Object, Lisp_Object text_property_list P_ ((Lisp_Object, Lisp_Object, Lisp_Object, Lisp_Object)); int add_text_properties_from_list P_ ((Lisp_Object, Lisp_Object, Lisp_Object)); -void extend_property_ranges P_ ((Lisp_Object, Lisp_Object, Lisp_Object)); +Lisp_Object extend_property_ranges P_ ((Lisp_Object, Lisp_Object)); Lisp_Object get_char_property_and_overlay P_ ((Lisp_Object, Lisp_Object, Lisp_Object, Lisp_Object*)); extern int text_property_stickiness P_ ((Lisp_Object prop, Lisp_Object pos, diff --git a/src/textprop.c b/src/textprop.c index 3df5cc9204d..afeaa2b1040 100644 --- a/src/textprop.c +++ b/src/textprop.c @@ -2028,24 +2028,41 @@ add_text_properties_from_list (object, list, delta) -/* Modify end-points of ranges in LIST destructively. LIST is a list - as returned from text_property_list. Change end-points equal to - OLD_END to NEW_END. */ +/* Modify end-points of ranges in LIST destructively, and return the + new list. LIST is a list as returned from text_property_list. + Discard properties that begin at or after NEW_END, and limit + end-points to NEW_END. */ -void -extend_property_ranges (list, old_end, new_end) - Lisp_Object list, old_end, new_end; +Lisp_Object +extend_property_ranges (list, new_end) + Lisp_Object list, new_end; { - for (; CONSP (list); list = XCDR (list)) + Lisp_Object prev = Qnil, head = list; + int max = XINT (new_end); + + for (; CONSP (list); prev = list, list = XCDR (list)) { - Lisp_Object item, end; + Lisp_Object item, beg, end; item = XCAR (list); + beg = XCAR (item); end = XCAR (XCDR (item)); - if (EQ (end, old_end)) + if (XINT (beg) >= max) + { + /* The start-point is past the end of the new string. + Discard this property. */ + if (EQ (head, list)) + head = XCDR (list); + else + XSETCDR (prev, XCDR (list)); + } + else if (XINT (end) > max) + /* The end-point is past the end of the new string. */ XSETCAR (XCDR (item), new_end); } + + return head; } -- 2.39.2