* print.c (printchar, strout): Check for string overflow.

(PRINTPREPARE, printchar, strout):
Don't set size unless allocation succeeds.

diff --git a/src/ChangeLog b/src/ChangeLog
index 1be34fd..7948766 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,9 @@
 2011-06-23  Paul Eggert  <eggert@cs.ucla.edu>
 
+       * print.c (printchar, strout): Check for string overflow.
+       (PRINTPREPARE, printchar, strout):
+       Don't set size unless allocation succeeds.
+
        * minibuf.c (read_minibuf_noninteractive): Use ptrdiff_t, not int,
        for sizes.  Check for string overflow more accurately.
        Simplify newline removal at end; this suppresses a GCC 4.6.0 warning.

diff --git a/src/print.c b/src/print.c
index d07f897..009bea3 100644 (file)
--- a/src/print.c
+++ b/src/print.c
@@ -159,8 +159,9 @@ int print_output_debug_flag EXTERNALLY_VISIBLE = 1;
         }                                                              \
        else                                                            \
         {                                                              \
-           print_buffer_size = 1000;                                   \
-           print_buffer = (char *) xmalloc (print_buffer_size);                \
+          ptrdiff_t new_size = 1000;                                   \
+          print_buffer = (char *) xmalloc (new_size);                  \
+          print_buffer_size = new_size;                                \
           free_print_buffer = 1;                                       \
         }                                                              \
        print_buffer_pos = 0;                                           \
@@ -235,9 +236,15 @@ printchar (unsigned int ch, Lisp_Object fun)
 
       if (NILP (fun))
        {
-         if (print_buffer_pos_byte + len >= print_buffer_size)
-           print_buffer = (char *) xrealloc (print_buffer,
-                                             print_buffer_size *= 2);
+         if (print_buffer_size - len <= print_buffer_pos_byte)
+           {
+             ptrdiff_t new_size;
+             if (STRING_BYTES_BOUND / 2 < print_buffer_size)
+               string_overflow ();
+             new_size = print_buffer_size * 2;
+             print_buffer = (char *) xrealloc (print_buffer, new_size);
+             print_buffer_size = new_size;
+           }
          memcpy (print_buffer + print_buffer_pos_byte, str, len);
          print_buffer_pos += 1;
          print_buffer_pos_byte += len;
@@ -280,11 +287,14 @@ strout (const char *ptr, EMACS_INT size, EMACS_INT size_byte,
 
   if (NILP (printcharfun))
     {
-      if (print_buffer_pos_byte + size_byte > print_buffer_size)
+      if (print_buffer_size - size_byte < print_buffer_pos_byte)
        {
-         print_buffer_size = print_buffer_size * 2 + size_byte;
-         print_buffer = (char *) xrealloc (print_buffer,
-                                           print_buffer_size);
+         ptrdiff_t new_size;
+         if (STRING_BYTES_BOUND / 2 - size_byte < print_buffer_size)
+           string_overflow ();
+         new_size = print_buffer_size * 2 + size_byte;
+         print_buffer = (char *) xrealloc (print_buffer, new_size);
+         print_buffer_size = new_size;
        }
       memcpy (print_buffer + print_buffer_pos_byte, ptr, size_byte);
       print_buffer_pos += size;