New module 'xsize'.

6 files changed, 141 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 08958b5f56..e435554c59 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2003-11-04  Bruno Haible  <bruno@clisp.org>
+
+	* modules/xsize: New file.
+	* modules/linebreak: Depend on xsize.
+	* MODULES.html.sh (func_all_modules): Add xsize.
+
 2003-11-04  Jim Meyering  <jim@meyering.net>
 
 	* modules/sysexits: Use the `$(VAR)' notation for AC_SUBST'd
diff --git a/lib/ChangeLog b/lib/ChangeLog
index 2a3e00316a..24f9a9cbe4 100644
--- a/lib/ChangeLog
+++ b/lib/ChangeLog
@@ -1,3 +1,11 @@
+2003-11-04  Bruno Haible  <bruno@clisp.org>
+
+	* xsize.h: New file.
+	* linebreak.c: Include xsize.h.
+	(mbs_possible_linebreaks, mbs_width_linebreaks): Check malloc()
+	argument for overflow.
+	Suggested by Paul Eggert.
+
 2003-10-31  Bruno Haible  <bruno@clisp.org>
 
 	* wait-process.c (wait_process): Use waitid with WNOWAIT if available,
diff --git a/lib/xsize.h b/lib/xsize.h
new file mode 100644
index 0000000000..4410193e66
--- /dev/null
+++ b/lib/xsize.h
@@ -0,0 +1,89 @@
+/* xsize.h -- Checked size_t computations.
+
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software Foundation,
+   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */
+
+#ifndef _XSIZE_H
+#define _XSIZE_H
+
+/* Get size_t.  */
+#include <stddef.h>
+
+/* Get SIZE_MAX.  */
+#if HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifndef SIZE_MAX
+# define SIZE_MAX ((size_t) -1)
+#endif
+
+/* The size of memory objects is often computed through expressions of
+   type size_t. Example:
+      void* p = malloc (header_size + n * element_size).
+   These computations can lead to overflow.  When this happens, malloc()
+   returns a piece of memory that is way too small, and the program then
+   crashes while attempting to fill the memory.
+   To avoid this, the functions and macros in this file check for overflow.
+   The convention is that SIZE_MAX represents overflow.
+   malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc
+   implementation that uses mmap --, it's recommended to use SIZE_OVERFLOW_P
+   before invoking malloc().
+   The example thus becomes:
+      size_t size = xsum (header_size, xtimes (n, element_size));
+      void *p = (!SIZE_OVERFLOW_P (size) ? malloc (size) : NULL);
+*/
+
+/* Convert an arbitrary value >= 0 to type size_t.  */
+#define xcast_size_t(N) \
+  ((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX)
+
+/* Sum of two sizes, with overflow check.  */
+static inline size_t
+xsum (size_t size1, size_t size2)
+{
+  size_t sum = size1 + size2;
+  return (sum >= size1 ? sum : SIZE_MAX);
+}
+
+/* Sum of three sizes, with overflow check.  */
+static inline size_t
+xsum3 (size_t size1, size_t size2, size_t size3)
+{
+  return xsum (xsum (size1, size2), size3);
+}
+
+/* Sum of four sizes, with overflow check.  */
+static inline size_t
+xsum4 (size_t size1, size_t size2, size_t size3, size_t size4)
+{
+  return xsum (xsum (xsum (size1, size2), size3), size4);
+}
+
+/* Multiplication of a count with an element size, with overflow check.
+   The count must be >= 0 and the element size must be > 0.
+   This is a macro, not an inline function, so that it works correctly even
+   when N is of a wider tupe and N > SIZE_MAX.  */
+#define xtimes(N, ELSIZE) \
+  ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)
+
+/* Check for overflow.  */
+#define size_overflow_p(SIZE) \
+  ((SIZE) == SIZE_MAX)
+/* Check against overflow.  */
+#define size_in_bounds_p(SIZE) \
+  ((SIZE) != SIZE_MAX)
+
+#endif /* _XSIZE_H */
diff --git a/m4/ChangeLog b/m4/ChangeLog
index ed2c25dddc..950443ed52 100644
--- a/m4/ChangeLog
+++ b/m4/ChangeLog
@@ -1,3 +1,7 @@
+2003-11-04  Bruno Haible  <bruno@clisp.org>
+
+	* xsize.m4: New file.
+
 2003-11-03  Bruno Haible  <bruno@clisp.org>
 
 	* wait-process.m4 (gl_WAIT_PROCESS): Also check for waitid.
diff --git a/m4/xsize.m4 b/m4/xsize.m4
new file mode 100644
index 0000000000..ee30a4d458
--- /dev/null
+++ b/m4/xsize.m4
@@ -0,0 +1,13 @@
+# xsize.m4 serial 1
+dnl Copyright (C) 2003 Free Software Foundation, Inc.
+dnl This file is free software, distributed under the terms of the GNU
+dnl General Public License.  As a special exception to the GNU General
+dnl Public License, this file may be distributed as part of a program
+dnl that contains a configuration script generated by Autoconf, under
+dnl the same distribution terms as the rest of that program.
+
+AC_DEFUN([gl_XSIZE],
+[
+  dnl Prerequisites of lib/xsize.h.
+  AC_CHECK_HEADERS(stdint.h)
+])
diff --git a/modules/xsize b/modules/xsize
new file mode 100644
index 0000000000..f4d1597015
--- /dev/null
+++ b/modules/xsize
@@ -0,0 +1,21 @@
+Description:
+Checked size_t computations.
+
+Files:
+lib/xsize.h
+m4/xsize.m4
+
+Depends-on:
+
+configure.ac:
+gl_XSIZE
+
+Makefile.am:
+lib_SOURCES += xsize.h
+
+Include:
+"xsize.h"
+
+Maintainer:
+Bruno Haible
+