diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2011-06-08 10:22:24 -0700 |
|---|---|---|
| committer | Paul Eggert <eggert@cs.ucla.edu> | 2011-06-08 10:22:24 -0700 |
| commit | c9d624c605059127505b6d4baec8f07d6ff731d9 (patch) | |
| tree | 6479c3ac48386543ce3985053d117b25e4a75935 /src/lisp.h | |
| parent | 353032ce71627010043aba9d536a3e739894a1d2 (diff) | |
| download | emacs-c9d624c605059127505b6d4baec8f07d6ff731d9.tar.gz | |
* alloc.c: Catch some string size overflows that we were missing.
(XMALLOC_OVERRUN_CHECK_SIZE) [!XMALLOC_OVERRUN_CHECK]: Define to 0,
for convenience in STRING_BYTES_MAX.
(STRING_BYTES_MAX): New macro, superseding the old one in lisp.h.
The definition here is exact; the one in lisp.h was approximate.
(allocate_string_data): Check for string overflow. This catches
some instances we weren't catching before. Also, it catches
size_t overflow on (unusual) hosts where SIZE_MAX <= min
(PTRDIFF_MAX, MOST_POSITIVE_FIXNUM), e.g., when size_t is 32 bits
and ptrdiff_t and EMACS_INT are both 64 bits.
* character.c, coding.c, doprnt.c, editfns.c, eval.c:
All uses of STRING_BYTES_MAX replaced by STRING_BYTES_BOUND.
* lisp.h (STRING_BYTES_BOUND): Renamed from STRING_BYTES_MAX.
Diffstat (limited to 'src/lisp.h')
| -rw-r--r-- | src/lisp.h | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/src/lisp.h b/src/lisp.h index c5f810a0746..a1bc794ead5 100644 --- a/src/lisp.h +++ b/src/lisp.h @@ -765,11 +765,19 @@ extern EMACS_INT string_bytes (struct Lisp_String *); #endif /* not GC_CHECK_STRING_BYTES */ -/* A string cannot contain more bytes than a fixnum can represent, - nor can it be so long that C pointer arithmetic stops working on - the string plus a terminating null. */ -#define STRING_BYTES_MAX \ - min (MOST_POSITIVE_FIXNUM, min (SIZE_MAX, PTRDIFF_MAX) - 1) +/* An upper bound on the number of bytes in a Lisp string, not + counting the terminating null. This a tight enough bound to + prevent integer overflow errors that would otherwise occur during + string size calculations. A string cannot contain more bytes than + a fixnum can represent, nor can it be so long that C pointer + arithmetic stops working on the string plus its terminating null. + Although the actual size limit (see STRING_BYTES_MAX in alloc.c) + may be a bit smaller than STRING_BYTES_BOUND, calculating it here + would expose alloc.c internal details that we'd rather keep + private. The cast to ptrdiff_t ensures that STRING_BYTES_BOUND is + signed. */ +#define STRING_BYTES_BOUND \ + min (MOST_POSITIVE_FIXNUM, (ptrdiff_t) min (SIZE_MAX, PTRDIFF_MAX) - 1) /* Mark STR as a unibyte string. */ #define STRING_SET_UNIBYTE(STR) \ |