* macros.c: Integer and buffer overflow fixes.

* keyboard.h (struct keyboard.kbd_macro_bufsize):
* macros.c (Fstart_kbd_macro, store_kbd_macro_char):
Use ptrdiff_t, not int, for sizes.
Don't increment bufsize until after realloc succeeds.
Check for size-calculation overflow.
(Fstart_kbd_macro): Use EMACS_INT, not int, for XINT result.

3 files changed, 22 insertions, 7 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index 1e9cf82d1ac..c3eaaa4ff2d 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,13 @@
 2011-06-23  Paul Eggert  <eggert@cs.ucla.edu>
 
+	* macros.c: Integer and buffer overflow fixes.
+	* keyboard.h (struct keyboard.kbd_macro_bufsize):
+	* macros.c (Fstart_kbd_macro, store_kbd_macro_char):
+	Use ptrdiff_t, not int, for sizes.
+	Don't increment bufsize until after realloc succeeds.
+	Check for size-calculation overflow.
+	(Fstart_kbd_macro): Use EMACS_INT, not int, for XINT result.
+
 	* lisp.h (DEFVAR_KBOARD): Use offsetof instead of char * finagling.
 
 	* lread.c: Integer overflow fixes.
diff --git a/src/keyboard.h b/src/keyboard.h
index 20763c35f3a..91008a3ea24 100644
--- a/src/keyboard.h
+++ b/src/keyboard.h
@@ -123,7 +123,7 @@ struct kboard
     Lisp_Object *kbd_macro_end;
 
     /* Allocated size of kbd_macro_buffer.  */
-    int kbd_macro_bufsize;
+    ptrdiff_t kbd_macro_bufsize;
 
     /* Last anonymous kbd macro defined.  */
     Lisp_Object KBOARD_INTERNAL_FIELD (Vlast_kbd_macro);
diff --git a/src/macros.c b/src/macros.c
index 3523e513d6a..ea33dbf2d2c 100644
--- a/src/macros.c
+++ b/src/macros.c
@@ -71,10 +71,10 @@ macro before appending to it. */)
     {
       if (current_kboard->kbd_macro_bufsize > 200)
 	{
-	  current_kboard->kbd_macro_bufsize = 30;
 	  current_kboard->kbd_macro_buffer
 	    = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer,
 				       30 * sizeof (Lisp_Object));
+	  current_kboard->kbd_macro_bufsize = 30;
 	}
       current_kboard->kbd_macro_ptr = current_kboard->kbd_macro_buffer;
       current_kboard->kbd_macro_end = current_kboard->kbd_macro_buffer;
@@ -82,7 +82,8 @@ macro before appending to it. */)
     }
   else
     {
-      int i, len;
+      ptrdiff_t i;
+      EMACS_INT len;
       int cvt;
 
       /* Check the type of last-kbd-macro in case Lisp code changed it.  */
@@ -94,10 +95,13 @@ macro before appending to it. */)
 	 has put another macro there.  */
       if (current_kboard->kbd_macro_bufsize < len + 30)
 	{
-	  current_kboard->kbd_macro_bufsize = len + 30;
+	  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (Lisp_Object) - 30
+	      < current_kboard->kbd_macro_bufsize)
+	    memory_full (SIZE_MAX);
 	  current_kboard->kbd_macro_buffer
 	    = (Lisp_Object *)xrealloc (current_kboard->kbd_macro_buffer,
 				       (len + 30) * sizeof (Lisp_Object));
+	  current_kboard->kbd_macro_bufsize = len + 30;
 	}
 
       /* Must convert meta modifier when copying string to vector.  */
@@ -191,14 +195,17 @@ store_kbd_macro_char (Lisp_Object c)
     {
       if (kb->kbd_macro_ptr - kb->kbd_macro_buffer == kb->kbd_macro_bufsize)
 	{
-	  int ptr_offset, end_offset, nbytes;
+	  ptrdiff_t ptr_offset, end_offset, nbytes;
 
 	  ptr_offset = kb->kbd_macro_ptr - kb->kbd_macro_buffer;
 	  end_offset = kb->kbd_macro_end - kb->kbd_macro_buffer;
-	  kb->kbd_macro_bufsize *= 2;
-	  nbytes = kb->kbd_macro_bufsize * sizeof *kb->kbd_macro_buffer;
+	  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *kb->kbd_macro_buffer / 2
+	      < kb->kbd_macro_bufsize)
+	    memory_full (SIZE_MAX);
+	  nbytes = kb->kbd_macro_bufsize * 2 * sizeof *kb->kbd_macro_buffer;
 	  kb->kbd_macro_buffer
 	    = (Lisp_Object *) xrealloc (kb->kbd_macro_buffer, nbytes);
+	  kb->kbd_macro_bufsize *= 2;
 	  kb->kbd_macro_ptr = kb->kbd_macro_buffer + ptr_offset;
 	  kb->kbd_macro_end = kb->kbd_macro_buffer + end_offset;
 	}