From e17144de551ae57a4ad51f9757b908325c21071a Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Sun, 6 Jan 2002 20:47:00 +0000
Subject: [PATCH] (make_gap_larger): Make sure buffer size does not overflow
 range of int.

---
 src/ChangeLog | 5 +++++
 src/insdel.c  | 9 ++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 1f49d908f9..7206d6f7e0 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2002-01-06  Andreas Schwab  <schwab@suse.de>
+
+	* insdel.c (make_gap_larger): Make sure buffer size does not
+	overflow range of int.
+
 2002-01-05  Jason Rumney  <jasonr@gnu.org>
 
 	* w32term.c (x_draw_glyphs): Don't call notice_overwritten_cursor if
diff --git a/src/insdel.c b/src/insdel.c
index efc6aa44b6..a71afb7258 100644
--- a/src/insdel.c
+++ b/src/insdel.c
@@ -533,10 +533,13 @@ make_gap_larger (nbytes_added)
 
   /* Don't allow a buffer size that won't fit in an int
      even if it will fit in a Lisp integer.
-     That won't work because so many places use `int'.  */
+     That won't work because so many places use `int'.
+
+     Make sure we don't introduce overflows in the calculation.  */
      
-  if (Z_BYTE - BEG_BYTE + GAP_SIZE + nbytes_added
-      >= MOST_POSITIVE_FIXNUM)
+  if (Z_BYTE - BEG_BYTE + GAP_SIZE
+      >= (((EMACS_INT) 1 << (min (VALBITS, BITS_PER_INT) - 1)) - 1
+	  - nbytes_added))
     error ("Buffer exceeds maximum size");
 
   enlarge_buffer_text (current_buffer, nbytes_added);
-- 
2.20.1