diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2011-06-12 17:36:03 -0700 |
|---|---|---|
| committer | Paul Eggert <eggert@cs.ucla.edu> | 2011-06-12 17:36:03 -0700 |
| commit | 13bdea59234b227bf8499a64352da3e5fd9e8c7b (patch) | |
| tree | deddcce496ffa4fdb6d5ffd45ec8c2c7c5c49d0c /src/character.h | |
| parent | d37ca62316e7526da7d75cc44c7a4cd8a6281bb5 (diff) | |
| download | emacs-13bdea59234b227bf8499a64352da3e5fd9e8c7b.tar.gz emacs-13bdea59234b227bf8499a64352da3e5fd9e8c7b.tar.bz2 emacs-13bdea59234b227bf8499a64352da3e5fd9e8c7b.zip | |
Make sure a 64-bit char is never passed to CHAR_STRING.
Otherwise, CHAR_STRING would do the wrong thing on a 64-bit platform,
by silently ignoring the top 32 bits, allowing some values
that were far too large to be valid characters.
* character.h: Include <verify.h>.
(CHAR_STRING, CHAR_STRING_ADVANCE): Verify that the character
arguments are no wider than unsigned, as a compile-time check
to prevent future regressions in this area.
* data.c (Faset):
* editfns.c (Fchar_to_string, general_insert_function, Finsert_char):
(Fsubst_char_in_region):
* fns.c (concat):
* xdisp.c (decode_mode_spec_coding):
Adjust to CHAR_STRING's new requirement.
* editfns.c (Finsert_char, Fsubst_char_in_region):
* fns.c (concat): Check that character args are actually
characters. Without this test, these functions did the wrong
thing with wildly out-of-range values on 64-bit hosts.
Diffstat (limited to 'src/character.h')
| -rw-r--r-- | src/character.h | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/character.h b/src/character.h index 695a55be3fa..de97754cfc7 100644 --- a/src/character.h +++ b/src/character.h @@ -23,6 +23,8 @@ along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */ #ifndef EMACS_CHARACTER_H #define EMACS_CHARACTER_H +#include <verify.h> + /* character code 1st byte byte sequence -------------- -------- ------------- 0-7F 00..7F 0xxxxxxx @@ -173,7 +175,7 @@ along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */ (p)[1] = (0x80 | (((c) >> 6) & 0x3F)), \ (p)[2] = (0x80 | ((c) & 0x3F)), \ 3) \ - : char_string ((unsigned) c, p)) + : (char_string (c, p) + !verify_true (sizeof (c) <= sizeof (unsigned)))) /* Store multibyte form of byte B in P. The caller should allocate at least MAX_MULTIBYTE_LENGTH bytes area at P in advance. Returns the @@ -201,7 +203,10 @@ along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */ *(p)++ = (0x80 | (((c) >> 6) & 0x3F)), \ *(p)++ = (0x80 | ((c) & 0x3F)); \ else \ - (p) += char_string ((c), (p)); \ + { \ + verify (sizeof (c) <= sizeof (unsigned)); \ + (p) += char_string (c, p); \ + } \ } while (0) |