Fix a few integer-overflow glitches

* src/composite.c (composition_compute_stop_pos, composition_reseat_it): * src/dispextern.h (struct composition_it.rule_idx): * src/keyboard.c (Fset__this_command_keys): * src/xwidget.c (webkit_js_to_lisp): Don’t assume object sizes fit in ‘int’. * src/xwidget.c (Fxwidget_resize): Don’t assume Emacs integers fit in ‘int’.
2026-01-30 20:32:00 -08:00 · 2017-02-10 08:34:57 -08:00 · 2017-02-10 08:34:57 -08:00 · abcba32c26
commit abcba32c26
parent cef233eeb8
4 changed files with 50 additions and 55 deletions
--- a/src/composite.c
+++ b/src/composite.c
@ -1012,7 +1012,7 @@ composition_compute_stop_pos (struct composition_it *cmp_it, ptrdiff_t charpos,
 	  val = CHAR_TABLE_REF (Vcomposition_function_table, c);
 	  if (! NILP (val))
 	    {
-	      for (int ridx = 0; CONSP (val); val = XCDR (val), ridx++)
+	      for (EMACS_INT ridx = 0; CONSP (val); val = XCDR (val), ridx++)
 		{
 		  Lisp_Object elt = XCAR (val);
 		  if (VECTORP (elt) && ASIZE (elt) == 3
@ -1063,54 +1063,48 @@ composition_compute_stop_pos (struct composition_it *cmp_it, ptrdiff_t charpos,
      while (char_composable_p (c))
 	{
 	  val = CHAR_TABLE_REF (Vcomposition_function_table, c);
-	  if (! NILP (val))
+	  for (EMACS_INT ridx = 0; CONSP (val); val = XCDR (val), ridx++)
 	    {
-	      Lisp_Object elt;
-	      int ridx, blen;
-
-	      for (ridx = 0; CONSP (val); val = XCDR (val), ridx++)
+	      Lisp_Object elt = XCAR (val);
+	      if (VECTORP (elt) && ASIZE (elt) == 3
+		  && NATNUMP (AREF (elt, 1))
+		  && charpos - XFASTINT (AREF (elt, 1)) > endpos)
 		{
-		  elt = XCAR (val);
-		  if (VECTORP (elt) && ASIZE (elt) == 3
-		      && NATNUMP (AREF (elt, 1))
-		      && charpos - XFASTINT (AREF (elt, 1)) > endpos)
-		    {
-		      ptrdiff_t back = XFASTINT (AREF (elt, 1));
-		      ptrdiff_t cpos = charpos - back, bpos;
+		  ptrdiff_t back = XFASTINT (AREF (elt, 1));
+		  ptrdiff_t cpos = charpos - back, bpos;

-		      if (back == 0)
-			bpos = bytepos;
-		      else
-			bpos = (NILP (string) ? CHAR_TO_BYTE (cpos)
-				: string_char_to_byte (string, cpos));
-		      if (STRINGP (AREF (elt, 0)))
-			blen = fast_looking_at (AREF (elt, 0), cpos, bpos,
-						start + 1, limit, string);
-		      else
-			blen = 1;
-		      if (blen > 0)
+		  if (back == 0)
+		    bpos = bytepos;
+		  else
+		    bpos = (NILP (string) ? CHAR_TO_BYTE (cpos)
+			    : string_char_to_byte (string, cpos));
+		  ptrdiff_t blen
+		    = (STRINGP (AREF (elt, 0))
+		       ? fast_looking_at (AREF (elt, 0), cpos, bpos,
+					  start + 1, limit, string)
+		       : 1);
+		  if (blen > 0)
+		    {
+		      /* Make CPOS point to the last character of
+			 match.  Note that BLEN is byte-length.  */
+		      if (blen > 1)
 			{
-			  /* Make CPOS point to the last character of
-			     match.  Note that BLEN is byte-length.  */
-			  if (blen > 1)
-			    {
-			      bpos += blen;
-			      if (NILP (string))
-				cpos = BYTE_TO_CHAR (bpos) - 1;
-			      else
-				cpos = string_byte_to_char (string, bpos) - 1;
-			    }
-			  back = cpos - (charpos - back);
-			  if (cmp_it->stop_pos < cpos
-			      || (cmp_it->stop_pos == cpos
-				  && cmp_it->lookback < back))
-			    {
-			      cmp_it->rule_idx = ridx;
-			      cmp_it->stop_pos = cpos;
-			      cmp_it->ch = c;
-			      cmp_it->lookback = back;
-			      cmp_it->nchars = back + 1;
-			    }
+			  bpos += blen;
+			  if (NILP (string))
+			    cpos = BYTE_TO_CHAR (bpos) - 1;
+			  else
+			    cpos = string_byte_to_char (string, bpos) - 1;
+			}
+		      back = cpos - (charpos - back);
+		      if (cmp_it->stop_pos < cpos
+			  || (cmp_it->stop_pos == cpos
+			      && cmp_it->lookback < back))
+			{
+			  cmp_it->rule_idx = ridx;
+			  cmp_it->stop_pos = cpos;
+			  cmp_it->ch = c;
+			  cmp_it->lookback = back;
+			  cmp_it->nchars = back + 1;
 			}
 		    }
 		}
@ -1203,10 +1197,10 @@ composition_reseat_it (struct composition_it *cmp_it, ptrdiff_t charpos,
    {
      Lisp_Object lgstring = Qnil;
      Lisp_Object val, elt;
-      ptrdiff_t i;

      val = CHAR_TABLE_REF (Vcomposition_function_table, cmp_it->ch);
-      for (i = 0; i < cmp_it->rule_idx; i++, val = XCDR (val));
+      for (EMACS_INT i = 0; i < cmp_it->rule_idx; i++, val = XCDR (val))
+	continue;
      if (charpos < endpos)
 	{
 	  for (; CONSP (val); val = XCDR (val))
@ -1255,6 +1249,7 @@ composition_reseat_it (struct composition_it *cmp_it, ptrdiff_t charpos,
      if (NILP (LGSTRING_ID (lgstring)))
 	lgstring = composition_gstring_put_cache (lgstring, -1);
      cmp_it->id = XINT (LGSTRING_ID (lgstring));
+      int i;
      for (i = 0; i < LGSTRING_GLYPH_LEN (lgstring); i++)
 	if (NILP (LGSTRING_GLYPH (lgstring, i)))
 	  break;
--- a/src/dispextern.h
+++ b/src/dispextern.h
@ -2215,7 +2215,7 @@ struct composition_it
     the automatic composition.  Provided that ELT is an element of
     Vcomposition_function_table for CH, (nth ELT RULE_IDX) is the
     rule for the composition.  */
-  int rule_idx;
+  EMACS_INT rule_idx;
  /* If this is an automatic composition, how many characters to look
     back from the position where a character triggering the
     composition exists.  */
--- a/src/keyboard.c
+++ b/src/keyboard.c
@ -10020,7 +10020,7 @@ Internal use only.  */)
    add_command_key (make_number ('x' | meta_modifier));
  else
    add_command_key (make_number (key0));
-  for (int i = 1; i < SCHARS (keys); i++)
+  for (ptrdiff_t i = 1; i < SCHARS (keys); i++)
    add_command_key (make_number (SREF (keys, i)));
  return Qnil;
 }
--- a/src/xwidget.c
+++ b/src/xwidget.c
@ -301,13 +301,13 @@ webkit_js_to_lisp (JSContextRef context, JSValueRef value)
          {
            JSStringRef pname = JSStringCreateWithUTF8CString("length");
            JSValueRef len = JSObjectGetProperty (context, (JSObjectRef) value, pname, NULL);
-            int n = JSValueToNumber (context, len, NULL);
+            EMACS_INT n = JSValueToNumber (context, len, NULL);
            JSStringRelease(pname);

            Lisp_Object obj;
            struct Lisp_Vector *p = allocate_vector (n);

-            for (int i = 0; i < n; ++i)
+            for (ptrdiff_t i = 0; i < n; ++i)
              {
                p->contents[i] =
                  webkit_js_to_lisp (context,
@ -323,13 +323,13 @@ webkit_js_to_lisp (JSContextRef context, JSValueRef value)
            JSPropertyNameArrayRef properties =
              JSObjectCopyPropertyNames (context, (JSObjectRef) value);

-            int n = JSPropertyNameArrayGetCount (properties);
+            ptrdiff_t n = JSPropertyNameArrayGetCount (properties);
            Lisp_Object obj;

            /* TODO: can we use a regular list here?  */
            struct Lisp_Vector *p = allocate_vector (n);

-            for (int i = 0; i < n; ++i)
+            for (ptrdiff_t i = 0; i < n; ++i)
              {
                JSStringRef name = JSPropertyNameArrayGetNameAtIndex (properties, i);
                JSValueRef property = JSObjectGetProperty (context,
@ -733,8 +733,8 @@ DEFUN ("xwidget-resize", Fxwidget_resize, Sxwidget_resize, 3, 3, 0,
  (Lisp_Object xwidget, Lisp_Object new_width, Lisp_Object new_height)
 {
  CHECK_XWIDGET (xwidget);
-  CHECK_NATNUM (new_width);
-  CHECK_NATNUM (new_height);
+  CHECK_RANGED_INTEGER (new_width, 0, INT_MAX);
+  CHECK_RANGED_INTEGER (new_height, 0, INT_MAX);
  struct xwidget *xw = XXWIDGET (xwidget);
  int w = XFASTINT (new_width);
  int h = XFASTINT (new_height);