mirrors/emacs
1
Fork 0
mirror of git://git.sv.gnu.org/emacs.git synced 2025-12-28 00:01:33 -08:00
Code Issues Projects Releases Wiki Activity

* termcap.c: Integer and memory overflow issues.

Browse source 
(tgetent): Use ptrdiff_t, not int, to record results of
subtracting pointers.
(gobble_line): Check for overflow more carefully.  Don't update size
until alloc done.
This commit is contained in:
Paul Eggert 2011-07-28 18:24:19 -07:00
parent fee31f82d5
commit 0d8f2df7c4
2 changed files with 16 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/ChangeLog
View file

@ -1,5 +1,11 @@
2011-07-29 Paul Eggert <eggert@cs.ucla.edu>
* termcap.c: Integer and memory overflow issues.
(tgetent): Use ptrdiff_t, not int, to record results of
subtracting pointers.
(gobble_line): Check for overflow more carefully. Don't update size
until alloc done.
* term.c: Integer and memory overflow issues.
(max_frame_lines): Remove; unused.
(encode_terminal_src_size, encode_terminal_dst_size): Now ptrdiff_t,

18
src/termcap.c
View file

@ -480,7 +480,7 @@ tgetent (char *bp, const char *name)
/* If BP is malloc'd by us, make sure it is big enough. */
if (malloc_size)
{
int offset1 = bp1 - bp, offset2 = tc_search_point - bp;
ptrdiff_t offset1 = bp1 - bp, offset2 = tc_search_point - bp;
malloc_size = offset1 + buf.size;
bp = termcap_name = (char *) xrealloc (bp, malloc_size);
bp1 = termcap_name + offset1;
@ -619,7 +619,6 @@ gobble_line (int fd, register struct termcap_buffer *bufp, char *append_end)
register char *end;
register int nread;
register char *buf = bufp->beg;
register char *tem;
if (!append_end)
append_end = bufp->ptr;
@ -636,14 +635,17 @@ gobble_line (int fd, register struct termcap_buffer *bufp, char *append_end)
{
if (bufp->full == bufp->size)
{
if ((PTRDIFF_MAX - 1) / 2 < bufp->size)
ptrdiff_t ptr_offset = bufp->ptr - buf;
ptrdiff_t append_end_offset = append_end - buf;
ptrdiff_t size;
if ((min (PTRDIFF_MAX, SIZE_MAX) - 1) / 2 < bufp->size)
memory_full (SIZE_MAX);
bufp->size *= 2;
size = 2 * bufp->size;
/* Add 1 to size to ensure room for terminating null. */
tem = (char *) xrealloc (buf, bufp->size + 1);
bufp->ptr = (bufp->ptr - buf) + tem;
append_end = (append_end - buf) + tem;
bufp->beg = buf = tem;
bufp->beg = buf = (char *) xrealloc (buf, size + 1);
bufp->size = size;
bufp->ptr = buf + ptr_offset;
append_end = buf + append_end_offset;
}
}
else