diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/ChangeLog | 6 | ||||
| -rw-r--r-- | src/xterm.c | 18 |
2 files changed, 17 insertions, 7 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index 32a117ed767..940beee887d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,11 @@ 2011-07-17 Paul Eggert <eggert@cs.ucla.edu> + * xterm.c: don't go over XClientMessageEvent limit + (scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed. + (x_send_scroll_bar_event): Likewise. Check that the size does not + exceed limits imposed by XClientMessageEvent, as well as the usual + ptrdiff_t and size_t limits. + * keyboard.c: Overflow, signedness and related fixes. (make_lispy_movement): Use same integer type in forward decl that is used in the definition. diff --git a/src/xterm.c b/src/xterm.c index 20516ee9d6f..5b6ddbb8ddf 100644 --- a/src/xterm.c +++ b/src/xterm.c @@ -4190,7 +4190,7 @@ xt_action_hook (Widget widget, XtPointer client_data, String action_name, x_send_scroll_bar_event and x_scroll_bar_to_input_event. */ static struct window **scroll_bar_windows; -static size_t scroll_bar_windows_size; +static ptrdiff_t scroll_bar_windows_size; /* Send a client message with message type Xatom_Scrollbar for a @@ -4205,7 +4205,7 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole) XClientMessageEvent *ev = (XClientMessageEvent *) &event; struct window *w = XWINDOW (window); struct frame *f = XFRAME (w->frame); - size_t i; + ptrdiff_t i; BLOCK_INPUT; @@ -4226,12 +4226,16 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole) if (i == scroll_bar_windows_size) { - size_t new_size = max (10, 2 * scroll_bar_windows_size); - size_t nbytes = new_size * sizeof *scroll_bar_windows; - size_t old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows; - - if ((size_t) -1 / sizeof *scroll_bar_windows < new_size) + ptrdiff_t new_size, old_nbytes, nbytes; + /* Check the 32-bit XClientMessageEvent limit, as well as the + usual ptrdiff_t/size_t limit. */ + if (min (0x7fffffff, + min (PTRDIFF_MAX, SIZE_MAX) / sizeof *scroll_bar_windows / 2) + < scroll_bar_windows_size) memory_full (SIZE_MAX); + new_size = max (10, 2 * scroll_bar_windows_size); + nbytes = new_size * sizeof *scroll_bar_windows; + old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows; scroll_bar_windows = (struct window **) xrealloc (scroll_bar_windows, nbytes); memset (&scroll_bar_windows[i], 0, nbytes - old_nbytes); |