+2011-07-29 Paul Eggert <eggert@cs.ucla.edu>
+
+ Integer and memory overflow issues.
+
+ * bidi.c (bidi_shelve_header_size): New constant.
+ (bidi_cache_ensure_space, bidi_shelve_cache): Use it.
+ (bidi_cache_ensure_space): Avoid integer overflow when allocating.
+
+ * buffer.c (overlays_at, overlays_in, record_overlay_string)
+ (overlay_strings):
+ Don't update size of array until after memory allocation succeeds,
+ because xmalloc/xrealloc may not return.
+
+ * callproc.c (child_setup): Don't assume strlen fits in int.
+
+ * ccl.c (Fccl_execute_on_string): Check for memory overflow.
+ Use ptrdiff_t rather than EMACS_INT where ptrdiff_t will do.
+ Redo buffer-overflow calculations to avoid integer overflow.
+
+ * character.c (Fstring): Check for size-calculation overflow.
+
+ * coding.c (produce_chars): Redo buffer-overflow calculations to avoid
+ unnecessary integer overflow. Check for size overflow.
+ (encode_coding_object): Don't update size until xmalloc succeeds.
+
+ * composite.c (get_composition_id): Check for overflow in glyph
+ length calculations.
+
+ Integer and memory overflow fixes for display code.
+ * dispextern.h (struct glyph_pool.nglyphs): Now ptrdiff_t, not int.
+ * dispnew.c (adjust_glyph_matrix, realloc_glyph_pool)
+ (scrolling_window): Check for overflow in size calculations.
+ (line_draw_cost, realloc_glyph_pool, add_row_entry):
+ Don't assume glyph table len fits in int.
+ (struct row_entry.bucket, row_entry_pool_size, row_entry_idx)
+ (row_table_size): Now ptrdiff_t, not int.
+ (scrolling_window): Avoid overflow in size calculations.
+ Don't update size until allocation succeeds.
+ * fns.c (concat): Check for overflow in size calculations.
+ (next_almost_prime): Verify NEXT_ALMOST_PRIME_LIMIT.
+ * lisp.h (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): New macros.
+ (NEXT_ALMOST_PRIME_LIMIT): New constant.
+
+ * doc.c (get_doc_string_buffer_size): Now ptrdiff_t, not int.
+ (get_doc_string): Check for size calculation overflow.
+ Don't update size until allocation succeeds.
+ (get_doc_string, Fsubstitute_command_keys): Use ptrdiff_t, not
+ EMACS_INT, where ptrdiff_t will do.
+ (Fsubstitute_command_keys): Check for string overflow.
+
+ * editfns.c (set_time_zone_rule): Don't assume environment length
+ fits in int.
+ (message_length): Now ptrdiff_t, not int.
+ (Fmessage_box): Don't update size until allocation succeeds.
+ Don't assume message length fits in int.
+ (Fformat): Use ptrdiff_t, not EMACS_INT, where ptrdiff_t will do.
+
+ * emacs.c (main, sort_args): Check for size-calculation overflow.
+
+ * eval.c (init_eval_once, grow_specpdl): Don't update size until
+ alloc succeeds.
+ (call_debugger, grow_specpdl): Redo calculations to avoid overflow.
+
+ * frame.c (set_menu_bar_lines, x_set_frame_parameters)
+ (x_set_scroll_bar_width, x_figure_window_size):
+ Check for integer overflow.
+ (x_set_alpha): Do not assume XINT fits in int.
+
+ * frame.h (struct frame): Use int, not EMACS_INT, where int works.
+ This is for the members text_lines, text_cols, total_lines, total_cols,
+ where the system imposes an 'int' limit.
+
+ * fringe.c (Fdefine_fringe_bitmap):
+ Don't update size until alloc works.
+
+ * ftfont.c (ftfont_get_open_type_spec, setup_otf_gstring)
+ (ftfont_shape_by_flt): Check for integer overflow in size calculations.
+
+ * gtkutil.c (get_utf8_string, xg_store_widget_in_map):
+ Check for size-calculation overflow.
+ (get_utf8_string): Use ptrdiff_t, not size_t, where either will
+ do, as we prefer signed integers.
+ (id_to_widget.max_size, id_to_widget.used)
+ (xg_store_widget_in_map, xg_remove_widget_from_map)
+ (xg_get_widget_from_map, xg_get_scroll_id_for_window)
+ (xg_remove_scroll_bar, xg_update_scrollbar_pos):
+ Use and return ptrdiff_t, not int.
+ (xg_gtk_scroll_destroy): Don't assume ptrdiff_t fits in int.
+ * gtkutil.h: Change prototypes to match the above.
+
+ * image.c (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): Remove; these
+ are duplicate now that they've been promoted to lisp.h.
+ (x_allocate_bitmap_record, x_alloc_image_color)
+ (make_image_cache, cache_image, xpm_load):
+ Don't update size until alloc is done.
+ (xpm_load, lookup_rgb_color, lookup_pixel_color, x_to_xcolors)
+ (x_detect_edges):
+ Check for size calculation overflow.
+ (ct_colors_allocated_max): New constant.
+ (x_to_xcolors, x_detect_edges): Reorder multiplicands to avoid
+ overflow.
+
+ * keyboard.c (read_char, menu_bar_items, tool_bar_items)
+ (read_char_x_menu_prompt, read_char_minibuf_menu_width)
+ (read_char_minibuf_menu_prompt, follow_key, read_key_sequence):
+ Use ptrdiff_t, not int, to count maps.
+ (read_char_minibuf_menu_prompt): Check for overflow in size
+ calculations. Don't update size until allocation succeeds. Redo
+ calculations to avoid overflow.
+ * keyboard.h: Change prototypes to match the above.
+
+ * keymap.c (cmm_size, current_minor_maps): Use ptrdiff_t, not int,
+ to count maps.
+ (current_minor_maps): Check for size calculation overflow.
+ * keymap.h: Change prototypes to match the above.
+
+ * lread.c (read1, init_obarray): Don't update size until alloc done.
+
+ * macros.c (Fstart_kbd_macro): Don't update size until alloc done.
+ (store_kbd_macro_char): Reorder multiplicands to avoid overflow.
+
+ * minibuf.c (read_minibuf_noninteractive): Don't leak memory
+ on memory overflow.
+
+ * nsterm.h (struct ns_color_table.size, struct ns_color_table.avail):
+ Now ptrdiff_t, not int.
+ * nsterm.m (ns_index_color): Use ptrdiff_t, not int, for table indexes.
+ (ns_draw_fringe_bitmap): Rewrite to avoid overflow.
+
+ * process.c (Fnetwork_interface_list): Check for overflow
+ in size calculation.
+
+ * region-cache.c (move_cache_gap): Check for size calculation overflow.
+
+ * scroll.c (do_line_insertion_deletion_costs): Check for size calc
+ overflow. Don't bother calling xmalloc when xrealloc will do.
+
+ * search.c (Freplace_match): Check for size calculation overflow.
+ (Fset_match_data): Don't assume list lengths fit in 'int'.
+
+ * sysdep.c (system_process_attributes): Use ptrdiff_t, not int,
+ for command line length. Do not attempt to address one before the
+ beginning of an array, as that's not portable.
+
+ * term.c (max_frame_lines): Remove; unused.
+ (encode_terminal_src_size, encode_terminal_dst_size): Now ptrdiff_t,
+ not int.
+ (encode_terminal_code, calculate_costs): Check for size
+ calculation overflow.
+ (encode_terminal_code): Use ptrdiff_t, not int, to record glyph
+ table lengths and related sizes. Don't update size until alloc
+ done. Redo calculations to avoid overflow.
+ (calculate_costs): Don't bother calling xmalloc when xrealloc will do.
+
+ * termcap.c (tgetent): Use ptrdiff_t, not int, to record results of
+ subtracting pointers.
+ (gobble_line): Check for overflow more carefully. Don't update size
+ until alloc done.
+
+ * tparam.c (tparam1): Use ptrdiff_t, not int, for sizes.
+ Don't update size until alloc done.
+ Redo size calculations to avoid overflow.
+ Check for size calculation overflow.
+
+ * xdisp.c (store_mode_line_noprop_char, x_consider_frame_title):
+ Use ptrdiff_t, not int, for sizes.
+ (store_mode_line_noprop_char): Don't update size until alloc done.
+
+ * xfaces.c (Finternal_make_lisp_face): Use ptrdiff_t, not int, for
+ sizes. Check for size calculation overflow.
+ (cache_face): Do not overflow in size calculation.
+
+ * xfns.c (x_encode_text, x_set_name_internal)
+ (Fx_change_window_property): Use ptrdiff_t, not int, to count
+ sizes, since they can exceed INT_MAX in size. Check for size
+ calculation overflow.
+
+ * xgselect.c (xg_select): Check for size calculation overflow.
+ Don't update size until alloc done.
+
+ * xrdb.c (magic_file_p): Plug memory leak on size overflow.
+ (get_environ_db): Don't assume path length fits in int,
+ as sprintf is limited to int lengths.
+
+ * xselect.c (X_LONG_SIZE, X_USHRT_MAX, X_ULONG_MAX): New macros.
+ Use them to make the following changes clearer.
+ (MAX_SELECTION_QUANTUM): Make the other bounds on this value clearer.
+ This change doesn't affect the value now, but it may help remind
+ future maintainers not to raise the value too much later.
+ (SELECTION_QUANTUM): Remove, replacing with ...
+ (selection_quantum): ... new function, which avoids overflow.
+ All uses changed.
+ (struct selection_data.size): Now ptrdiff_t, not int, to avoid
+ assumption that selection length fits in 'int'.
+ (x_reply_selection_request, x_handle_selection_request)
+ (x_get_window_property, receive_incremental_selection)
+ (x_get_window_property_as_lisp_data, selection_data_to_lisp_data)
+ (lisp_data_to_selection_data, clean_local_selection_data):
+ Use ptrdiff_t, not int, to record length of selection.
+ (x_reply_selection_request, x_get_window_property)
+ (receive_incremental_selection, x_property_data_to_lisp):
+ Redo calculations to avoid overflow.
+ (x_reply_selection_request): When sending hint, ceiling it at
+ X_ULONG_MAX rather than relying on wraparound overflow to send
+ something.
+ (x_get_window_property, receive_incremental_selection)
+ (lisp_data_to_selection_data, x_property_data_to_lisp):
+ Check for size-calculation overflow.
+ (x_get_window_property, receive_incremental_selection)
+ (lisp_data_to_selection_data, Fx_register_dnd_atom):
+ Don't store size until memory allocation succeeds.
+ (x_get_window_property): Plug memory leak on memory exhaustion.
+ Don't double-block input; malloc is safe here. Don't assume 2**34
+ - 4 fits in unsigned long. Add an xassert to check
+ XGetWindowProperty overflow. Be more careful about overflow
+ calculations, and distinguish size from memory overflow better.
+ (receive_incremental_selection): When tracing, don't assume
+ unsigned int is less than INT_MAX.
+ (x_selection_data_to_lisp_data): Remove unnecessary (and in theory
+ harmful) conversions of unsigned short to int.
+ (lisp_data_to_selection_data): Don't assume that integers
+ in the range -65535 through -1 fit in an X unsigned short.
+ Don't assume that ULONG_MAX == X_ULONG_MAX. Don't store into
+ result parameters unless successful. Rely on cons_to_unsigned
+ to report problems with elements; the old code wasn't right anyway.
+ (x_check_property_data): Check for int overflow; we cannot use
+ a wider type due to X limits.
+ (x_handle_dnd_message): Use unsigned int, to avoid int overflow.
+
+ * xsmfns.c (smc_save_yourself_CB): Check for size calc overflow.
+
+ * xterm.c (x_color_cells, handle_one_xevent, x_term_init):
+ Check for size calculation overflow.
+ (x_color_cells): Don't store size until memory allocation succeeds.
+ (handle_one_xevent): Use ptrdiff_t, not int, for byte counts.
+ (x_term_init): Don't assume length fits in int (sprintf is limited
+ to int size).
+
+ Use ptrdiff_t for composition IDs.
+ * character.c (lisp_string_width):
+ * composite.c (composition_table_size, n_compositions)
+ (get_composition_id, composition_gstring_from_id):
+ * dispextern.h (struct glyph_string.cmp_id, struct composition_it.id):
+ * xdisp.c (BUILD_COMPOSITE_GLYPH_STRING):
+ * window.c (Frecenter):
+ Use ptrdiff_t, not int, for composition IDs.
+ * composite.c (get_composition_id): Check for integer overflow.
+ * composite.h: Adjust prototypes to match the above changes.
+
+ Use ptrdiff_t for hash table indexes.
+ * category.c (hash_get_category_set):
+ * ccl.c (ccl_driver):
+ * charset.h (struct charset.hash_index, CHECK_CHARSET_GET_ID):
+ * coding.c (coding_system_charset_list, detect_coding_system):
+ * coding.h (struct coding_system.id):
+ * composite.c (get_composition_id, gstring_lookup_cache):
+ * fns.c (hash_lookup, hash_put, Fgethash, Fputhash):
+ * image.c (xpm_get_color_table_h):
+ * lisp.h (hash_lookup, hash_put):
+ * minibuf.c (Ftest_completion):
+ Use ptrdiff_t for hash table indexes, not int (which is too
+ narrow, on 64-bit hosts) or EMACS_INT (which is too wide, on
+ 32-bit --with-wide-int hosts).
+
+ * charset.c (Fdefine_charset_internal): Check for integer overflow.
+ Add a FIXME comment about memory leaks.
+ (syms_of_charset): Don't assume xmalloc returns.
+
+ Don't assume that stated character widths fit in int.
+ * character.c (Fchar_width, c_string_width, lisp_string_width):
+ * character.h (CHAR_WIDTH):
+ * indent.c (MULTIBYTE_BYTES_WIDTH):
+ Use sanitize_char_width to avoid undefined and/or bad behavior
+ with outlandish widths.
+ * character.h (sanitize_tab_width): Renamed from sanitize_width,
+ now that we have two such functions. All uses changed.
+ (sanitize_char_width): New inline function.
+
+ Don't assume that tab-width fits in int.
+ * character.h (sanitize_width): New inline function.
+ (SANE_TAB_WIDTH): New macro.
+ (ASCII_CHAR_WIDTH): Use it.
+ * indent.c (sane_tab_width): Remove. All uses replaced by
+ SANE_TAB_WIDTH (current_buffer).
+ * xdisp.c (init_iterator): Use SANE_TAB_WIDTH.
+
+ * fileio.c: Integer overflow issues with file modes.
+ (Fset_file_modes, auto_save_1): Don't assume EMACS_INT fits in int.
+
+ * charset.c (read_hex): New arg OVERFLOW. All uses changed.
+ Remove unreachable code.
+ (read_hex, load_charset_map_from_file): Check for integer overflow.
+
+ * xterm.c: don't go over XClientMessageEvent limit
+ (scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed.
+ (x_send_scroll_bar_event): Likewise. Check that the size does not
+ exceed limits imposed by XClientMessageEvent, as well as the usual
+ ptrdiff_t and size_t limits.
+
+ * keyboard.c: Overflow, signedness and related fixes.
+ (make_lispy_movement): Use same integer type in forward decl
+ that is used in the definition.
+ (read_key_sequence, keyremap_step):
+ Change bufsize argument back to int, undoing my 2011-03-30 change.
+ We prefer signed types, and int is wide enough here.
+ (parse_tool_bar_item): Don't assume tool_bar_max_label_size is less
+ than TYPE_MAXIMUM (EMACS_INT) / 2. Don't let the label size grow
+ larger than STRING_BYTES_BOUND. Use ptrdiff_t for Emacs string
+ length, not size_t. Use ptrdiff_t for index, not int.
+ (keyremap_step, read_key_sequence): Redo bufsize check to avoid
+ possibility of integer overflow.
+
+ Overflow, signedness and related fixes for images.
+
+ * dispextern.h (struct it.stack[0].u.image.image_id)
+ (struct_it.image_id, struct image.id, struct image_cache.size)
+ (struct image_cache.used, struct image_cache.ref_count):
+ * gtkutil.c (update_frame_tool_bar):
+ * image.c (x_reference_bitmap, Fimage_size, Fimage_mask_p)
+ (Fimage_metadata, free_image_cache, clear_image_cache, lookup_image)
+ (cache_image, mark_image_cache, x_kill_gs_process, Flookup_image):
+ * nsmenu.m (update_frame_tool_bar):
+ * xdisp.c (calc_pixel_width_or_height):
+ * xfns.c (image_cache_refcount):
+ Image IDs are now ptrdiff_t, not int, to avoid arbitrary limits
+ on typical 64-bit hosts.
+
+ * image.c (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): New macros.
+ (x_bitmap_pixmap, x_create_x_image_and_pixmap):
+ Omit unnecessary casts to int.
+ (parse_image_spec): Check that integers fall into 'int' range
+ when the callers expect that.
+ (image_ascent): Redo ascent calculation to avoid int overflow.
+ (clear_image_cache): Avoid overflow when sqrt (INT_MAX) < nimages.
+ (lookup_image): Remove unnecessary tests.
+ (xbm_image_p): Locals are now of int, not EMACS_INT,
+ since parse_image_check makes sure they fit into int.
+ (png_load, gif_load, svg_load_image):
+ Prefer int to unsigned where either will do.
+ (tiff_handler): New function, combining the cores of the
+ old tiff_error_handler and tiff_warning_handler. This
+ function is rewritten to use vsnprintf and thereby avoid
+ stack buffer overflows. It uses only the features of vsnprintf
+ that are common to both POSIX and native Microsoft.
+ (tiff_error_handler, tiff_warning_handler): Use it.
+ (tiff_load, gif_load, imagemagick_load_image):
+ Don't assume :index value fits in 'int'.
+ (gif_load): Omit unnecessary cast to double, and avoid double-rounding.
+ (imagemagick_load_image): Check that crop parameters fit into
+ the integer types that MagickCropImage accepts. Don't assume
+ Vimagemagick_render_type has a nonnegative value. Don't assume
+ size_t fits in 'long'.
+ (gs_load): Use printmax_t to print the widest integers possible.
+ Check for integer overflow when computing image height and width.
+
+2011-07-28 Andreas Schwab <schwab@linux-m68k.org>
+
+ * print.c (print_object): Print empty symbol as ##.
+
+ * lread.c (read1): Read ## as empty symbol.
+
+2011-07-28 Alp Aker <alp.tekin.aker@gmail.com>
+
+ * nsfns.m (x_set_foreground_color): Set f->foreground_pixel when
+ setting frame foreground color (Bug#9175).
+ (x_set_background_color): Likewise.
+
+ * nsmenu.m (-setText): Size tooltip dimensions precisely to
+ contents (Bug#9176).
+ (EmacsTooltip -init): Remove bezels and add shadows to
+ tooltip windows.
+
+ * nsterm.m (ns_dumpglyphs_stretch): Avoid overwriting left fringe
+ or scroll bar (Bug#8470).
+
+ * nsfont.m (nsfont_open): Remove assignment to voffset and
+ unnecessary vars hshink, expand, hd, full_height, min_height.
+ (nsfont_draw): Use s->ybase as baseline for glyph drawing (Bug#8913).
+
+ * nsterm.h (nsfont_info): Remove voffset field.
+
+2011-07-28 Alp Aker <alp.tekin.aker@gmail.com>
+
+ Implement strike-through and overline on NextStep (Bug#8863).
+
+ * nsfont.m (nsfont_open): Use underline position provided by font,
+ instead of hard-coded value of 2.
+ (nsfont_draw): Call ns_draw_text_decoration instead.
+
+ * nsterm.h: Add declaration for ns_draw_text_decoration.
+
+ * nsterm.m (ns_draw_text_decoration): New function for drawing
+ underline, overline, and strike-through.
+ (ns_dumpglyphs_image, ns_dumpglyphs_stretch): Add call to
+ ns_draw_text_decoration. Change treatment of cursor drawing to
+ accomodate underlining, etc.
+
+2011-07-28 Eli Zaretskii <eliz@gnu.org>
+
+ * buffer.c (init_buffer_once): Set bidi-display-reordering to t by
+ default.
+
+2011-07-28 Paul Eggert <eggert@cs.ucla.edu>
+
+ * alloc.c (memory_full) [!SYNC_INPUT]: Fix signal-related race.
+ Without this fix, if a signal arrives just after memory fills up,
+ 'malloc' might be invoked reentrantly.
+
+ * image.c (x_check_image_size) [!HAVE_X_WINDOWS]: Return 1.
+ In other words, assume that every image size is allowed, on non-X
+ hosts. This assumption is probably wrong, but it lets Emacs compile.
+
+2011-07-28 Andreas Schwab <schwab@linux-m68k.org>
+
+ * regex.c (re_iswctype): Convert return values to boolean.
+
+2011-07-28 Eli Zaretskii <eliz@fencepost.gnu.org>
+
+ * xdisp.c (compute_display_string_pos): Don't use cached display
+ string position if the buffer had its restriction changed.
+ (Bug#9184)
+
+2011-07-28 Paul Eggert <eggert@cs.ucla.edu>
+
+ * callproc.c (Fcall_process): Use 'volatile' to avoid vfork clobbering.
+
+2011-07-28 Paul Eggert <eggert@cs.ucla.edu>
+
+ Integer signedness and overflow and related fixes. (Bug#9079)
+
+ * bidi.c: Integer size and overflow fixes.
+ (bidi_cache_size, bidi_cache_idx, bidi_cache_last_idx)
+ (bidi_cache_start, bidi_cache_fetch_state, bidi_cache_search)
+ (bidi_cache_find_level_change, bidi_cache_ensure_space)
+ (bidi_cache_iterator_state, bidi_cache_find, bidi_cache_start_stack)
+ (bidi_find_other_level_edge):
+ Use ptrdiff_t instead of EMACS_INT where either will do.
+ This works better on 32-bit hosts configured --with-wide-int.
+ (bidi_cache_ensure_space): Check for size-calculation overflow.
+ Use % rather than repeated addition, for better worst-case speed.
+ Don't set bidi_cache_size until after xrealloc returns, because it
+ might not return.
+ (bidi_dump_cached_states): Use ptrdiff_t, not int, to avoid overflow.
+ (bidi_cache_ensure_space): Also check that the bidi cache size
+ does not exceed that of the largest Lisp string or buffer. See Eli
+ Zaretskii in <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#29>.
+
+ * alloc.c (__malloc_size_t): Remove.
+ All uses replaced by size_t. See Andreas Schwab's note
+ <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#8>.
+
+ * image.c: Improve checking for integer overflow.
+ (check_image_size): Assume that f is nonnull, since
+ it is always nonnull in practice. This is one less thing to
+ worry about when checking for integer overflow later.
+ (x_check_image_size): New function, which checks for integer
+ overflow issues inside X.
+ (x_create_x_image_and_pixmap, xbm_read_bitmap_data): Use it.
+ This removes the need for a memory_full check.
+ (xbm_image_p): Rewrite to avoid integer multiplication overflow.
+ (Create_Pixmap_From_Bitmap_Data, xbm_load): Use x_check_image_size.
+ (xbm_read_bitmap_data): Change locals back to 'int', since
+ their values must fit in 'int'.
+ (xpm_load_image, png_load, tiff_load):
+ Invoke x_create_x_image_and_pixmap earlier,
+ to avoid much needless work if the image is too large.
+ (tiff_load): Treat overly large images as if
+ x_create_x_image_and_pixmap failed, not as malloc failures.
+ (gs_load): Use x_check_image_size.
+
+ * gtkutil.c: Omit integer casts.
+ (xg_get_pixbuf_from_pixmap): Remove unnecessary cast.
+ (xg_set_toolkit_scroll_bar_thumb): Rewrite to avoid need for cast.
+
+ * image.c (png_load): Don't assume height * row_bytes fits in 'int'.
+
+ * xfaces.c (Fbitmap_spec_p): Fix integer overflow bug.
+ Without this fix, (bitmap-spec-p '(34359738368 1 "x"))
+ would wrongly return t on a 64-bit host.
+
+ * dispnew.c (init_display): Use *_RANGE_OVERFLOW macros.
+ The plain *_OVERFLOW macros run afoul of GCC bug 49705
+ <http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49705>
+ and therefore cause GCC to emit a bogus diagnostic in some cases.
+
+ * image.c: Integer signedness and overflow and related fixes.
+ This is not an exhaustive set of fixes, but it's time to
+ record what I've got.
+ (lookup_pixel_color, check_image_size): Remove redundant decls.
+ (check_image_size): Don't assume that arbitrary EMACS_INT values
+ fit in 'int', or that arbitrary 'double' values fit in 'int'.
+ (x_alloc_image_color, x_create_x_image_and_pixmap, png_load)
+ (tiff_load, imagemagick_load_image):
+ Check for overflow in size calculations.
+ (x_create_x_image_and_pixmap): Remove unnecessary test for
+ xmalloc returning NULL; that can't happen.
+ (xbm_read_bitmap_data): Don't assume sizes fit into 'int'.
+ (xpm_color_bucket): Use better integer hashing function.
+ (xpm_cache_color): Don't possibly over-allocate memory.
+ (struct png_memory_storage, tiff_memory_source, tiff_seek_in_memory)
+ (gif_memory_source):
+ Use ptrdiff_t, not int or size_t, to record sizes.
+ (png_load): Don't assume values greater than 2**31 fit in 'int'.
+ (our_stdio_fill_input_buffer): Prefer ptrdiff_t to size_t when
+ either works, as we prefer signed integers.
+ (tiff_read_from_memory, tiff_write_from_memory):
+ Return tsize_t, not size_t, since that's what the TIFF API wants.
+ (tiff_read_from_memory): Don't fail simply because the read would
+ go past EOF; instead, return a short read.
+ (tiff_load): Omit no-longer-needed casts.
+ (Fimagemagick_types): Don't assume size fits into 'int'.
+
+ Improve hashing quality when configured --with-wide-int.
+ * fns.c (hash_string): New function, taken from sxhash_string.
+ Do not discard information about ASCII character case; this
+ discarding is no longer needed.
+ (sxhash-string): Use it. Change sig to match it. Caller changed.
+ * lisp.h: Declare it.
+ * lread.c (hash_string): Remove, since we now use fns.c's version.
+ The fns.c version returns a wider integer if --with-wide-int is
+ specified, so this should help the quality of the hashing a bit.
+
+ * emacs.c: Integer overflow minor fix.
+ (heap_bss_diff): Now uprintmax_t, not unsigned long. All used changed.
+ Define only if GNU_LINUX.
+ (main, Fdump_emacs): Set and use heap_bss_diff only if GNU_LINUX.
+
+ * dispnew.c: Integer signedness and overflow fixes.
+ Remove unnecessary forward decls, that were a maintenance hassle.
+ (history_tick): Now uprintmax_t, so it's more likely to avoid overflow.
+ All uses changed.
+ (adjust_glyph_matrix, realloc_glyph_pool, adjust_frame_message_buffer)
+ (scrolling_window): Use ptrdiff_t, not int, for byte count.
+ (prepare_desired_row, line_draw_cost):
+ Use int, not unsigned, where either works.
+ (save_current_matrix, restore_current_matrix):
+ Use ptrdiff_t, not size_t, where either works.
+ (init_display): Check for overflow more accurately, and without
+ relying on undefined behavior.
+
+ * editfns.c (pWIDE, pWIDElen, signed_wide, unsigned_wide):
+ Remove, replacing with the new symbols in lisp.h. All uses changed.
+ * fileio.c (make_temp_name):
+ * filelock.c (lock_file_1, lock_file):
+ * xdisp.c (message_dolog):
+ Don't assume PRIdMAX etc. works; this isn't portable to pre-C99 hosts.
+ Use pMd etc. instead.
+ * lisp.h (printmax_t, uprintmax_t, pMd, pMu): New types and macros,
+ replacing the pWIDE etc. symbols removed from editfns.c.
+
+ * keyboard.h (num_input_events): Now uintmax_t.
+ This is (very slightly) less likely to mess up due to wraparound.
+ All uses changed.
+
+ * buffer.c: Integer signedness fixes.
+ (alloc_buffer_text, enlarge_buffer_text):
+ Use ptrdiff_t rather than size_t when either will do, as we prefer
+ signed integers.
+
+ * alloc.c: Integer signedness and overflow fixes.
+ Do not impose an arbitrary 32-bit limit on malloc sizes when debugging.
+ (__malloc_size_t): Default to size_t, not to int.
+ (pure_size, pure_bytes_used_before_overflow, stack_copy_size)
+ (Fgarbage_collect, mark_object_loop_halt, mark_object):
+ Prefer ptrdiff_t to size_t when either would do, as we prefer
+ signed integers.
+ (XMALLOC_OVERRUN_CHECK_OVERHEAD): New macro.
+ (xmalloc_overrun_check_header, xmalloc_overrun_check_trailer):
+ Now const. Initialize with values that are in range even if char
+ is signed.
+ (XMALLOC_PUT_SIZE, XMALLOC_GET_SIZE): Remove, replacing with ...
+ (xmalloc_put_size, xmalloc_get_size): New functions. All uses changed.
+ These functions do the right thing with sizes > 2**32.
+ (check_depth): Now ptrdiff_t, not int.
+ (overrun_check_malloc, overrun_check_realloc, overrun_check_free):
+ Adjust to new way of storing sizes. Check for size overflow bugs
+ in rest of code.
+ (STRING_BYTES_MAX): Adjust to new overheads. The old code was
+ slightly wrong anyway, as it missed one instance of
+ XMALLOC_OVERRUN_CHECK_OVERHEAD.
+ (refill_memory_reserve): Omit needless cast to size_t.
+ (mark_object_loop_halt): Mark as externally visible.
+
+ * xselect.c: Integer signedness and overflow fixes.
+ (Fx_register_dnd_atom, x_handle_dnd_message):
+ Use ptrdiff_t, not size_t, since we prefer signed.
+ (Fx_register_dnd_atom): Check for ptrdiff_t (and size_t) overflow.
+ * xterm.h (struct x_display_info): Use ptrdiff_t, not size_t, for
+ x_dnd_atoms_size and x_dnd_atoms_length.
+
+ * doprnt.c: Prefer signed to unsigned when either works.
+ * eval.c (verror):
+ * doprnt.c (doprnt):
+ * lisp.h (doprnt):
+ * xdisp.c (vmessage):
+ Use ptrdiff_t, not size_t, when using or implementing doprnt,
+ since the sizes cannot exceed ptrdiff_t bounds anyway, and we
+ prefer signed arithmetic to avoid comparison confusion.
+ * doprnt.c (doprnt): Avoid a "+ 1" that can't overflow,
+ but is a bit tricky.
+
+ Assume freestanding C89 headers, string.h, stdlib.h.
+ * data.c, doprnt.c, floatfns.c, print.c:
+ Include float.h unconditionally.
+ * gmalloc.c: Assume C89-at-least behavior for preprocessor,
+ limits.h, stddef.h, string.h. Use memset instead of 'flood'.
+ * regex.c: Likewise for stddef.h, string.h.
+ (ISASCII): Remove; can assume it returns 1 now. All uses removed.
+ * s/aix4-2.h (HAVE_STRING_H): Remove obsolete undef.
+ * s/ms-w32.h (HAVE_LIMITS_H, HAVE_STRING_H, HAVE_STDLIB_H)
+ (STDC_HEADERS): Remove obsolete defines.
+ * sysdep.c: Include limits.h unconditionally.
+
+ Assume support for memcmp, memcpy, memmove, memset.
+ * lisp.h, sysdep.c (memcmp, memcpy, memmove, memset):
+ * regex.c (memcmp, memcpy):
+ Remove; we assume C89 now.
+
+ * gmalloc.c (memcpy, memset, memmove): Remove; we assume C89 now.
+ (__malloc_safe_bcopy): Remove; no longer needed.
+
+ * lisp.h (struct vectorlike_header, struct Lisp_Subr): Signed sizes.
+ Use EMACS_INT, not EMACS_UINT, for sizes. The code works equally
+ well either way, and we prefer signed to unsigned.
+
+2011-07-27 Lars Magne Ingebrigtsen <larsi@gnus.org>
+
+ * gnutls.c (emacs_gnutls_read): Don't message anything if the peer
+ closes the connection while we're reading (bug#9182).
+
+2011-07-25 Jan Djärv <jan.h.d@swipnet.se>
+
+ * nsmenu.m (ns_popup_dialog): Add an "ok" button if no buttons
+ are specified (Bug#9168).
+
+2011-07-25 Paul Eggert <eggert@cs.ucla.edu>
+
+ * bidi.c (bidi_dump_cached_states): Fix printf format mismatch.
+ Found by GCC static checking and --with-wide-int on a 32-bit host.
+
+2011-07-25 Eli Zaretskii <eliz@gnu.org>
+
+ * xdisp.c (compute_display_string_pos): Fix logic of caching
+ previous display string position. Initialize cached_prev_pos to
+ -1. Fixes slow-down at the beginning of a buffer.
+
+2011-07-24 Eli Zaretskii <eliz@gnu.org>
+
+ * xfaces.c (check_lface_attrs) [HAVE_WINDOW_SYSTEM]: Allow `nil'
+ for attrs[LFACE_FONTSET_INDEX].
+
+2011-07-23 Paul Eggert <eggert@cs.ucla.edu>
+
+ * xml.c (parse_region): Remove unused local
+ that was recently introduced.
+
+2011-07-23 Eli Zaretskii <eliz@gnu.org>
+
+ * xfns.c (unwind_create_frame) [GLYPH_DEBUG]: Adapt to changes in
+ 2008-02-22T17:42:09Z!monnier@iro.umontreal.ca.
+
+ * xdisp.c (move_it_in_display_line_to): Record the best matching
+ position for TO_CHARPOS while scanning the line, and restore it on
+ exit if none of the characters scanned was an exact match. Fixes
+ vertical-motion and pos-visible-in-window-p under bidi redisplay
+ when exact match is impossible due to invisible text, and the
+ lines are truncated.
+
+2011-07-23 Jan Djärv <jan.h.d@swipnet.se>
+
+ * nsterm.m (initFrameFromEmacs): Set NSTitledWindowMask in styleMask
+ for OSX >= 10.7.
+
+2011-07-22 Eli Zaretskii <eliz@gnu.org>
+
+ Fix a significant slow-down of cursor motion with C-n, C-p,
+ C-f/C-b, and C-v/M-v that couldn't keep up with keyboard
+ auto-repeat under bidi redisplay in fontified buffers.
+ * xdisp.c (compute_stop_pos_backwards): New function.
+ (next_element_from_buffer): Call compute_stop_pos_backwards to
+ find a suitable prev_stop when we find ourselves before
+ base_level_stop.
+ (reseat): Don't look for prev_stop, as that could mean a very long
+ run.
+ <cached_disp_pos, cached_disp_buffer, cached_disp_modiff>
+ <cached_disp_overlay_modiff>: Cache for last found display string
+ position.
+ (compute_display_string_pos): Return the cached position if asked
+ about the same buffer in the same area of character positions, and
+ the buffer wasn't changed since the time the display string
+ position was cached.
+
+2011-07-22 Eli Zaretskii <eliz@gnu.org>
+
+ * xdisp.c (rows_from_pos_range): Don't ignore glyphs whose object
+ is an integer, which is important for empty lines. (Bug#9149)
+
+2011-07-22 Chong Yidong <cyd@stupidchicken.com>
+
+ * frame.c (Fmodify_frame_parameters): In tty case, update the
+ default face if necessary (Bug#4238).
+
+2011-07-21 Chong Yidong <cyd@stupidchicken.com>
+
+ * editfns.c (Fstring_to_char): No need to explain what a character
+ is in the docstring (Bug#6576).
+
+2011-07-20 Lars Magne Ingebrigtsen <larsi@gnus.org>
+
+ * xml.c (parse_region): Make sure we always return a tree.
+
+2011-07-20 HAMANO Kiyoto <khiker.mail@gmail.com>
+
+ * xml.c (parse_region): If a document contains only comments,
+ return that, too.
+
+2011-07-20 Lars Magne Ingebrigtsen <larsi@gnus.org>
+
+ * xml.c (make_dom): Return comments, too.
+
+2011-07-19 Paul Eggert <eggert@cs.ucla.edu>
+
+ Port to OpenBSD.
+ See http://lists.gnu.org/archive/html/emacs-devel/2011-07/msg00688.html
+ and the surrounding thread.
+ * minibuf.c (read_minibuf_noninteractive): Rewrite to use getchar
+ rather than fgets, and retry after EINTR. Otherwise, 'emacs
+ --batch -f byte-compile-file' fails on OpenBSD if an inactivity
+ timer goes off.
+ * s/openbsd.h (BROKEN_SIGIO): Define.
+ * unexelf.c (unexec) [__OpenBSD__]:
+ Don't update the .mdebug section of the Alpha COFF symbol table.
+
2011-07-19 Lars Magne Ingebrigtsen <larsi@gnus.org>
* lread.c (syms_of_lread): Clarify when `lexical-binding' is used