* bidi.c: Integer overflow fix.

(bidi_shelve_header_size): New constant. (bidi_cache_ensure_space, bidi_shelve_cache): Use it. (bidi_cache_ensure_space): Avoid integer overflow when allocating.
2025-12-27 07:41:28 -08:00 · 2011-07-28 13:27:41 -07:00 · 2011-07-28 13:27:41 -07:00 · bc18e09ddf
commit bc18e09ddf
parent 722e028b38
2 changed files with 26 additions and 11 deletions
--- a/src/ChangeLog
+++ b/src/ChangeLog
@ -1,3 +1,10 @@
+2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
+
+	* bidi.c: Integer overflow fix.
+	(bidi_shelve_header_size): New constant.
+	(bidi_cache_ensure_space, bidi_shelve_cache): Use it.
+	(bidi_cache_ensure_space): Avoid integer overflow when allocating.
+
 2011-07-19  Paul Eggert  <eggert@cs.ucla.edu>

 	Use ptrdiff_t for composition IDs.
--- a/src/bidi.c
+++ b/src/bidi.c
@ -306,6 +306,21 @@ static ptrdiff_t bidi_cache_last_idx;	/* slot of last cache hit */
 static ptrdiff_t bidi_cache_start = 0;	/* start of cache for this
 					   "stack" level */

+/* 5-slot stack for saving the start of the previous level of the
+   cache.  xdisp.c maintains a 5-slot stack for its iterator state,
+   and we need the same size of our stack.  */
+static ptrdiff_t bidi_cache_start_stack[IT_STACK_SIZE];
+static int bidi_cache_sp;
+
+/* Size of header used by bidi_shelve_cache.  */
+enum
+  {
+    bidi_shelve_header_size =
+      (sizeof (bidi_cache_idx) + sizeof (bidi_cache_start_stack)
+       + sizeof (bidi_cache_sp) + sizeof (bidi_cache_start)
+       + sizeof (bidi_cache_last_idx))
+  };
+
 /* Reset the cache state to the empty state.  We only reset the part
   of the cache relevant to iteration of the current object.  Previous
   objects, which are pushed on the display iterator's stack, are left
@ -471,7 +486,8 @@ bidi_cache_ensure_space (ptrdiff_t idx)
 	max (BUF_BYTES_MAX, STRING_BYTES_BOUND);

      /* Also, it cannot be larger than what C can represent.  */
-      ptrdiff_t c_bound = min (PTRDIFF_MAX, SIZE_MAX) / elsz;
+      ptrdiff_t c_bound =
+	(min (PTRDIFF_MAX, SIZE_MAX) - bidi_shelve_header_size) / elsz;

      if (min (string_or_buffer_bound, c_bound) <= idx)
 	memory_full (SIZE_MAX);
@ -568,11 +584,6 @@ bidi_peek_at_next_level (struct bidi_it *bidi_it)
 /***********************************************************************
 	     Pushing and popping the bidi iterator state
 ***********************************************************************/
-/* 5-slot stack for saving the start of the previous level of the
-   cache.  xdisp.c maintains a 5-slot stack for its iterator state,
-   and we need the same size of our stack.  */
-static ptrdiff_t bidi_cache_start_stack[IT_STACK_SIZE];
-static int bidi_cache_sp;

 /* Push the bidi iterator state in preparation for reordering a
   different object, e.g. display string found at certain buffer
@ -629,11 +640,8 @@ bidi_shelve_cache (void)
  if (bidi_cache_idx == 0)
    return NULL;

-  databuf = xmalloc (sizeof (bidi_cache_idx)
-		     + bidi_cache_idx * sizeof (struct bidi_it)
-		     + sizeof (bidi_cache_start_stack)
-		     + sizeof (bidi_cache_sp) + sizeof (bidi_cache_start)
-		     + sizeof (bidi_cache_last_idx));
+  databuf = xmalloc (bidi_shelve_header_size
+		     + bidi_cache_idx * sizeof (struct bidi_it));
  memcpy (databuf, &bidi_cache_idx, sizeof (bidi_cache_idx));
  memcpy (databuf + sizeof (bidi_cache_idx),
 	  bidi_cache, bidi_cache_idx * sizeof (struct bidi_it));