mirrors/emacs
1
Fork 0
mirror of git://git.sv.gnu.org/emacs.git synced 2026-01-04 02:51:31 -08:00
Code Issues Projects Releases Wiki Activity

* ftfont.c: Check for size overflow.

Browse source 
(ftfont_get_open_type_spec, setup_otf_gstring, ftfont_shape_by_flt):
Check for integer overflow in size calculations.
This commit is contained in:
Paul Eggert 2011-07-28 16:51:50 -07:00
parent 483a9e21b6
commit 1ffd9c92ea
2 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/ChangeLog
View file

@ -1,5 +1,9 @@
2011-07-28 Paul Eggert <eggert@cs.ucla.edu>
* ftfont.c: Check for size overflow.
(ftfont_get_open_type_spec, setup_otf_gstring, ftfont_shape_by_flt):
Check for integer overflow in size calculations.
* fringe.c (Fdefine_fringe_bitmap): Don't update size until alloc works.
* frame.h (struct frame): Use int, not EMACS_INT, where int works.

15
src/ftfont.c
View file

@ -682,7 +682,10 @@ ftfont_get_open_type_spec (Lisp_Object otf_spec)
if (NILP (val))
continue;
len = Flength (val);
spec->features[i] = malloc (sizeof (int) * XINT (len));
spec->features[i] =
(min (PTRDIFF_MAX, SIZE_MAX) / sizeof (int) < XINT (len)
? 0
: malloc (sizeof (int) * XINT (len)));
if (! spec->features[i])
{
if (i > 0 && spec->features[0])
@ -1761,6 +1764,9 @@ static OTF_GlyphString otf_gstring;
static void
setup_otf_gstring (int size)
{
if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (OTF_Glyph) < size)
memory_full (SIZE_MAX);
if (otf_gstring.size == 0)
{
otf_gstring.glyphs = (OTF_Glyph *) xmalloc (sizeof (OTF_Glyph) * size);
@ -2390,6 +2396,8 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
struct MFLTFontFT flt_font_ft;
MFLT *flt = NULL;
int with_variation_selector = 0;
int allocated_max = min (INT_MAX,
min (PTRDIFF_MAX, SIZE_MAX) / sizeof (MFLTGlyph));
if (! m17n_flt_initialized)
{
@ -2445,6 +2453,9 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
}
}
if (allocated_max / 2 < len)
memory_full (SIZE_MAX);
if (gstring.allocated == 0)
{
gstring.allocated = len * 2;
@ -2504,6 +2515,8 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
int result = mflt_run (&gstring, 0, len, &flt_font_ft.flt_font, flt);
if (result != -2)
break;
if (allocated_max / 2 < gstring.allocated)
memory_full (SIZE_MAX);
gstring.allocated += gstring.allocated;
gstring.glyphs = xrealloc (gstring.glyphs,
sizeof (MFLTGlyph) * gstring.allocated);