diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2024-07-20 15:52:05 -0700 |
|---|---|---|
| committer | Paul Eggert <eggert@cs.ucla.edu> | 2024-07-20 16:16:22 -0700 |
| commit | 515e5ad0de133f0a3d501bd6290ccc51d8462955 (patch) | |
| tree | 620ff4a699eab76b3bcb441b5507b87854f00097 /lisp/emacs-lisp | |
| parent | 76497a01425e19a6c3a02c1e3031061fa0e7885b (diff) | |
| download | emacs-515e5ad0de133f0a3d501bd6290ccc51d8462955.tar.gz emacs-515e5ad0de133f0a3d501bd6290ccc51d8462955.tar.bz2 emacs-515e5ad0de133f0a3d501bd6290ccc51d8462955.zip | |
Fix bool vector length overflow
* src/alloc.c (make_clear_bool_vector): It’s now the caller’s
responsibility to make sure the bool vector length is in range.
Add an eassert to double-check this. This lets some locals be
ptrdiff_t not EMACS_INT.
(Fmake_bool_vector, Fbool_vector):
Check that bool vector lengths are in range.
* src/lisp.h (BOOL_VECTOR_LENGTH_MAX): New macro.
(bool_vector_words, bool_vector_bytes): Avoid undefined
behavior if size == EMACS_INT_MAX - (BITS_PER_BITS_WORD - 1).
This is mostly theoretical but it’s easy to do it right.
* src/lread.c (read_bool_vector): Use EMACS_INT, not just ptrdiff_t.
Check that length doesn’t exceed BOOL_VECTOR_LENGTH_MAX.
This fixes an unlikely integer overflow where the calculated size
went negative.
Diffstat (limited to 'lisp/emacs-lisp')
0 files changed, 0 insertions, 0 deletions