* buffer.c (record_overlay_string): Check for size-calculation overflow.

(struct sortstrlist.size, struct sortlist.used): Don't truncate size to int.
2011-06-17 01:10:34 -07:00 · 2011-06-17 01:10:34 -07:00 · 67c36fce59
commit 67c36fce59
parent 93cb6be35e
2 changed files with 10 additions and 4 deletions
--- a/src/ChangeLog
+++ b/src/ChangeLog
@ -3,7 +3,10 @@
 	* buffer.c (struct sortvec.priority, struct sortstr.priority):
 	Now EMACS_INT, not int.
 	(compare_overlays, cmp_for_strings): Avoid subtraction overflow.
-	(struct sortstr.size, record_overlay_string): Don't truncate size to int.
+	(struct sortstr.size, record_overlay_string)
+	(struct sortstrlist.size, struct sortlist.used):
+	Don't truncate size to int.
+	(record_overlay_string): Check for size-calculation overflow.

 2011-06-16  Paul Eggert  <eggert@cs.ucla.edu>

--- a/src/buffer.c
+++ b/src/buffer.c
@ -2933,8 +2933,8 @@ struct sortstr
 struct sortstrlist
 {
  struct sortstr *buf;	/* An array that expands as needed; never freed.  */
-  int size;		/* Allocated length of that array.  */
-  int used;		/* How much of the array is currently in use.  */
+  ptrdiff_t size;	/* Allocated length of that array.  */
+  ptrdiff_t used;	/* How much of the array is currently in use.  */
  EMACS_INT bytes;		/* Total length of the strings in buf.  */
 };

@ -2969,7 +2969,10 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,

  if (ssl->used == ssl->size)
    {
-      if (ssl->buf)
+      if (min (PTRDIFF_MAX, SIZE_MAX) / (sizeof (struct sortstr) * 2)
+	  < ssl->size)
+	memory_full (SIZE_MAX);
+      else if (0 < ssl->size)
 	ssl->size *= 2;
      else
 	ssl->size = 5;