From 7c0196fff8a96c07006a5401a573589ddb3151f3 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 28 Jul 2011 13:30:20 -0700
Subject: [PATCH] * character.c (Fstring): Check for size-calculation overflow.

---
 src/ChangeLog   | 2 ++
 src/character.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/src/ChangeLog b/src/ChangeLog
index c9d5dc10cf9..107facd8e7c 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,7 @@
 2011-07-28  Paul Eggert  <eggert@cs.ucla.edu>
 
+	* character.c (Fstring): Check for size-calculation overflow.
+
 	* ccl.c: Integer and memory overflow fixes.
 	(Fccl_execute_on_string): Check for memory overflow.
 	Use ptrdiff_t rather than EMACS_INT where ptrdiff_t will do.
diff --git a/src/character.c b/src/character.c
index 5e2eccf54db..50b5b252871 100644
--- a/src/character.c
+++ b/src/character.c
@@ -902,6 +902,8 @@ usage: (string &rest CHARACTERS)  */)
   Lisp_Object str;
   USE_SAFE_ALLOCA;
 
+  if (min (PTRDIFF_MAX, SIZE_MAX) / MAX_MULTIBYTE_LENGTH < n)
+    memory_full (SIZE_MAX);
   SAFE_ALLOCA (buf, unsigned char *, MAX_MULTIBYTE_LENGTH * n);
   p = buf;
 
-- 
2.30.2