From 25636e136267379f6b32b8dff712f72438cbec35 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 2 Dec 2013 18:27:10 -0800 Subject: [PATCH] Minor integer overflow fixes. * window.c (Fset_window_new_pixel, grow_mini_window): * xdisp.c (Fwindow_text_pixel_size): Avoid undefined behavior on signed integer overflow. * xfns.c (x_set_mouse_color): Check that drag shape fits in 'unsigned', since that's what X wants. --- src/ChangeLog | 9 +++++++++ src/window.c | 10 +++++++--- src/xdisp.c | 4 ++-- src/xfns.c | 2 +- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index a5c6668c55..d26a3798b0 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,12 @@ +2013-12-03 Paul Eggert + + Minor integer overflow fixes. + * window.c (Fset_window_new_pixel, grow_mini_window): + * xdisp.c (Fwindow_text_pixel_size): + Avoid undefined behavior on signed integer overflow. + * xfns.c (x_set_mouse_color): + Check that drag shape fits in 'unsigned', since that's what X wants. + 2013-12-02 Eli Zaretskii Improve reporting of fatal exception on MS-Windows. diff --git a/src/window.c b/src/window.c index a28449ba1d..e2770410bc 100644 --- a/src/window.c +++ b/src/window.c @@ -3646,8 +3646,10 @@ Note: This function does not operate on any child windows of WINDOW. */) (Lisp_Object window, Lisp_Object size, Lisp_Object add) { struct window *w = decode_valid_window (window); + EMACS_INT size_max = (min (INT_MAX, MOST_POSITIVE_FIXNUM) + - (NILP (add) ? 0 : XINT (w->new_pixel))); - CHECK_NUMBER (size); + CHECK_RANGED_INTEGER (size, 0, size_max); if (NILP (add)) wset_new_pixel (w, size); else @@ -4556,12 +4558,14 @@ grow_mini_window (struct window *w, int delta, bool pixelwise) if (pixelwise) { - pixel_height = -XINT (height); + pixel_height = min (-XINT (height), INT_MAX - w->pixel_height); line_height = pixel_height / FRAME_LINE_HEIGHT (f); } else { - line_height = -XINT (height); + line_height = min (-XINT (height), + ((INT_MAX - w->pixel_height) + / FRAME_LINE_HEIGHT (f))); pixel_height = line_height * FRAME_LINE_HEIGHT (f); } diff --git a/src/xdisp.c b/src/xdisp.c index b52c89a755..d1c8cd3cf2 100644 --- a/src/xdisp.c +++ b/src/xdisp.c @@ -9567,7 +9567,7 @@ include the height of any of these lines in the return value. */) if (!NILP (y_limit)) { CHECK_NUMBER (y_limit); - max_y = XINT (y_limit); + max_y = min (XINT (y_limit), INT_MAX); } itdata = bidi_shelve_cache (); @@ -9580,7 +9580,7 @@ include the height of any of these lines in the return value. */) else { CHECK_NUMBER (x_limit); - it.last_visible_x = XINT (x_limit); + it.last_visible_x = min (XINT (x_limit), INFINITY); /* Actually, we never want move_it_to stop at to_x. But to make sure that move_it_in_display_line_to always moves far enough, we set it to INT_MAX and specify MOVE_TO_X. */ diff --git a/src/xfns.c b/src/xfns.c index bd4a6a62db..2830a79972 100644 --- a/src/xfns.c +++ b/src/xfns.c @@ -680,7 +680,7 @@ x_set_mouse_color (struct frame *f, Lisp_Object arg, Lisp_Object oldval) if (!NILP (Vx_window_horizontal_drag_shape)) { - CHECK_NUMBER (Vx_window_horizontal_drag_shape); + CHECK_TYPE_RANGED_INTEGER (unsigned, Vx_window_horizontal_drag_shape); horizontal_drag_cursor = XCreateFontCursor (dpy, XINT (Vx_window_horizontal_drag_shape)); } -- 2.20.1