From f0eb61e99dce9005dc94c909046f6130b3d4a97c Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Thu, 14 Jul 2011 23:44:47 -0700 Subject: [PATCH] * bidi.c (bidi_cache_ensure_space): Also check that the bidi cache size does not exceed that of the largest Lisp string or buffer. See Eli Zaretskii in . --- src/ChangeLog | 3 +++ src/bidi.c | 13 ++++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index c19786fb72c..493b3277f52 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -15,6 +15,9 @@ Don't set bidi_cache_size until after xrealloc returns, because it might not return. (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow. + (bidi_cache_ensure_space): Also check that the bidi cache size + does not exceed that of the largest Lisp string or buffer. See Eli + Zaretskii in . * alloc.c (__malloc_size_t): Remove. All uses replaced by size_t. See Andreas Schwab's note diff --git a/src/bidi.c b/src/bidi.c index 1999606639b..697ebb92856 100644 --- a/src/bidi.c +++ b/src/bidi.c @@ -464,9 +464,16 @@ bidi_cache_ensure_space (ptrdiff_t idx) if (idx >= bidi_cache_size) { ptrdiff_t new_size; - ptrdiff_t max_size = - min (PTRDIFF_MAX, SIZE_MAX) / elsz / BIDI_CACHE_CHUNK * BIDI_CACHE_CHUNK; - if (max_size <= idx) + + /* The bidi cache cannot be larger than the largest Lisp string + or buffer. */ + ptrdiff_t string_or_buffer_bound = + max (BUF_BYTES_MAX, STRING_BYTES_BOUND); + + /* Also, it cannot be larger than what C can represent. */ + ptrdiff_t c_bound = min (PTRDIFF_MAX, SIZE_MAX) / elsz; + + if (min (string_or_buffer_bound, c_bound) <= idx) memory_full (SIZE_MAX); new_size = idx - idx % BIDI_CACHE_CHUNK + BIDI_CACHE_CHUNK; bidi_cache = (struct bidi_it *) xrealloc (bidi_cache, new_size * elsz); -- 2.39.2