* scroll.c: Integer and memory overflow fixes.

(do_line_insertion_deletion_costs): Check for size calculation overflow.
Don't bother calling xmalloc when xrealloc will do.

diff --git a/src/ChangeLog b/src/ChangeLog
index 662d03a..a80c370 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,9 @@
 2011-07-29  Paul Eggert  <eggert@cs.ucla.edu>
 
+       * scroll.c: Integer and memory overflow fixes.
+       (do_line_insertion_deletion_costs): Check for size calculation overflow.
+       Don't bother calling xmalloc when xrealloc will do.
+
        * region-cache.c (move_cache_gap): Check for size calculation overflow.
 
        * process.c (Fnetwork_interface_list): Check for overflow

diff --git a/src/scroll.c b/src/scroll.c
index 6291936..9184919 100644 (file)
--- a/src/scroll.c
+++ b/src/scroll.c
@@ -969,32 +969,21 @@ do_line_insertion_deletion_costs (FRAME_PTR frame,
                                  const char *cleanup_string,
                                  int coefficient)
 {
-  if (FRAME_INSERT_COST (frame) != 0)
-    {
-      FRAME_INSERT_COST (frame) =
-       (int *) xrealloc (FRAME_INSERT_COST (frame),
-                         FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETEN_COST (frame) =
-       (int *) xrealloc (FRAME_DELETEN_COST (frame),
-                         FRAME_LINES (frame) * sizeof (int));
-      FRAME_INSERTN_COST (frame) =
-       (int *) xrealloc (FRAME_INSERTN_COST (frame),
-                         FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETE_COST (frame) =
-       (int *) xrealloc (FRAME_DELETE_COST (frame),
-                         FRAME_LINES (frame) * sizeof (int));
-    }
-  else
-    {
-      FRAME_INSERT_COST (frame) =
-       (int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETEN_COST (frame) =
-       (int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_INSERTN_COST (frame) =
-       (int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETE_COST (frame) =
-       (int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-    }
+  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (int) < FRAME_LINES (frame))
+    memory_full (SIZE_MAX);
+
+  FRAME_INSERT_COST (frame) =
+    (int *) xrealloc (FRAME_INSERT_COST (frame),
+                     FRAME_LINES (frame) * sizeof (int));
+  FRAME_DELETEN_COST (frame) =
+    (int *) xrealloc (FRAME_DELETEN_COST (frame),
+                     FRAME_LINES (frame) * sizeof (int));
+  FRAME_INSERTN_COST (frame) =
+    (int *) xrealloc (FRAME_INSERTN_COST (frame),
+                     FRAME_LINES (frame) * sizeof (int));
+  FRAME_DELETE_COST (frame) =
+    (int *) xrealloc (FRAME_DELETE_COST (frame),
+                     FRAME_LINES (frame) * sizeof (int));
 
   ins_del_costs (frame,
                 ins_line_string, multi_ins_string,