diff options
| -rw-r--r-- | src/ChangeLog | 16 | ||||
| -rw-r--r-- | src/coding.c | 10 | ||||
| -rw-r--r-- | src/fileio.c | 11 |
3 files changed, 27 insertions, 10 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index 14d5ac9de48..7bfb291707b 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,4 +1,18 @@ -2011-04-29 Eli Zaretskii <eliz@gnu.org> +2011-04-21 Eli Zaretskii <eliz@gnu.org> + + Lift the MOST_POSITIVE_FIXNUM/4 limitation on visited files. + * fileio.c (Finsert_file_contents): Don't limit file size to 1/4 + of MOST_POSITIVE_FIXNUM. (Bug#8528) + + * coding.c (coding_alloc_by_realloc): Error out if destination + will grow beyond MOST_POSITIVE_FIXNUM. + (decode_coding_emacs_mule): Abort if there isn't enough place in + charbuf for the composition carryover bytes. Reserve an extra + space for up to 2 characters produced in a loop. + (decode_coding_iso_2022): Abort if there isn't enough place in + charbuf for the composition carryover bytes. + +2011-04-21 Eli Zaretskii <eliz@gnu.org> * doprnt.c (doprnt) [!HAVE_LONG_LONG_INT]: Error out instead of aborting when %lld or %lll format is passed. diff --git a/src/coding.c b/src/coding.c index c129c94203c..d17346efdcb 100644 --- a/src/coding.c +++ b/src/coding.c @@ -1071,6 +1071,8 @@ coding_set_destination (struct coding_system *coding) static void coding_alloc_by_realloc (struct coding_system *coding, EMACS_INT bytes) { + if (coding->dst_bytes >= MOST_POSITIVE_FIXNUM - bytes) + error ("Maximum size of buffer or string exceeded"); coding->destination = (unsigned char *) xrealloc (coding->destination, coding->dst_bytes + bytes); coding->dst_bytes += bytes; @@ -2333,7 +2335,9 @@ decode_coding_emacs_mule (struct coding_system *coding) /* We may produce two annotations (charset and composition) in one loop and one more charset annotation at the end. */ int *charbuf_end - = coding->charbuf + coding->charbuf_size - (MAX_ANNOTATION_LENGTH * 3); + = coding->charbuf + coding->charbuf_size - (MAX_ANNOTATION_LENGTH * 3) + /* We can produce up to 2 characters in a loop. */ + - 1; EMACS_INT consumed_chars = 0, consumed_chars_base; int multibytep = coding->src_multibyte; EMACS_INT char_offset = coding->produced_char; @@ -2348,6 +2352,8 @@ decode_coding_emacs_mule (struct coding_system *coding) { int i; + if (charbuf_end - charbuf < cmp_status->length) + abort (); for (i = 0; i < cmp_status->length; i++) *charbuf++ = cmp_status->carryover[i]; coding->annotated = 1; @@ -3479,6 +3485,8 @@ decode_coding_iso_2022 (struct coding_system *coding) if (cmp_status->state != COMPOSING_NO) { + if (charbuf_end - charbuf < cmp_status->length) + abort (); for (i = 0; i < cmp_status->length; i++) *charbuf++ = cmp_status->carryover[i]; coding->annotated = 1; diff --git a/src/fileio.c b/src/fileio.c index dcba6b6c0ae..7e6fd8c82a8 100644 --- a/src/fileio.c +++ b/src/fileio.c @@ -3245,15 +3245,10 @@ variable `last-coding-system-used' to the coding system actually used. */) record_unwind_protect (close_file_unwind, make_number (fd)); - /* Arithmetic overflow can occur if an Emacs integer cannot represent the - file size, or if the calculations below overflow. The calculations below - double the file size twice, so check that it can be multiplied by 4 - safely. - - Also check whether the size is negative, which can happen on a platform - that allows file sizes greater than the maximum off_t value. */ + /* Check whether the size is too large or negative, which can happen on a + platform that allows file sizes greater than the maximum off_t value. */ if (! not_regular - && ! (0 <= st.st_size && st.st_size <= MOST_POSITIVE_FIXNUM / 4)) + && ! (0 <= st.st_size && st.st_size <= MOST_POSITIVE_FIXNUM)) error ("Maximum buffer size exceeded"); /* Prevent redisplay optimizations. */ |