2011-06-23 Paul Eggert <eggert@cs.ucla.edu>
+ * macros.c: Integer and buffer overflow fixes.
+ * keyboard.h (struct keyboard.kbd_macro_bufsize):
+ * macros.c (Fstart_kbd_macro, store_kbd_macro_char):
+ Use ptrdiff_t, not int, for sizes.
+ Don't increment bufsize until after realloc succeeds.
+ Check for size-calculation overflow.
+ (Fstart_kbd_macro): Use EMACS_INT, not int, for XINT result.
+
* lisp.h (DEFVAR_KBOARD): Use offsetof instead of char * finagling.
* lread.c: Integer overflow fixes.
{
if (current_kboard->kbd_macro_bufsize > 200)
{
- current_kboard->kbd_macro_bufsize = 30;
current_kboard->kbd_macro_buffer
= (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer,
30 * sizeof (Lisp_Object));
+ current_kboard->kbd_macro_bufsize = 30;
}
current_kboard->kbd_macro_ptr = current_kboard->kbd_macro_buffer;
current_kboard->kbd_macro_end = current_kboard->kbd_macro_buffer;
}
else
{
- int i, len;
+ ptrdiff_t i;
+ EMACS_INT len;
int cvt;
/* Check the type of last-kbd-macro in case Lisp code changed it. */
has put another macro there. */
if (current_kboard->kbd_macro_bufsize < len + 30)
{
- current_kboard->kbd_macro_bufsize = len + 30;
+ if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (Lisp_Object) - 30
+ < current_kboard->kbd_macro_bufsize)
+ memory_full (SIZE_MAX);
current_kboard->kbd_macro_buffer
= (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer,
(len + 30) * sizeof (Lisp_Object));
+ current_kboard->kbd_macro_bufsize = len + 30;
}
/* Must convert meta modifier when copying string to vector. */
{
if (kb->kbd_macro_ptr - kb->kbd_macro_buffer == kb->kbd_macro_bufsize)
{
- int ptr_offset, end_offset, nbytes;
+ ptrdiff_t ptr_offset, end_offset, nbytes;
ptr_offset = kb->kbd_macro_ptr - kb->kbd_macro_buffer;
end_offset = kb->kbd_macro_end - kb->kbd_macro_buffer;
- kb->kbd_macro_bufsize *= 2;
- nbytes = kb->kbd_macro_bufsize * sizeof *kb->kbd_macro_buffer;
+ if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *kb->kbd_macro_buffer / 2
+ < kb->kbd_macro_bufsize)
+ memory_full (SIZE_MAX);
+ nbytes = kb->kbd_macro_bufsize * 2 * sizeof *kb->kbd_macro_buffer;
kb->kbd_macro_buffer
= (Lisp_Object *) xrealloc (kb->kbd_macro_buffer, nbytes);
+ kb->kbd_macro_bufsize *= 2;
kb->kbd_macro_ptr = kb->kbd_macro_buffer + ptr_offset;
kb->kbd_macro_end = kb->kbd_macro_buffer + end_offset;
}