From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 8 Jun 2011 17:48:26 +0000 (-0700)
Subject: * alloc.c (allocate_vectorlike): Check for ptrdiff_t overflow.
X-Git-Tag: archive/raspbian/1%29.2+1-2+rpi1^2~5^2~844^2~1241^2~69
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/www.github.com/%22bookmarks:///%22http:/www.example.com/cgi/%22https:/www.github.com/%22bookmarks:/?a=commitdiff_plain;h=86f61a158aea8dead5a0836a919a0ce501d3bcf7;p=emacs.git

* alloc.c (allocate_vectorlike): Check for ptrdiff_t overflow.
---

diff --git a/src/ChangeLog b/src/ChangeLog
index 6da301c9d07..e2b1b294968 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,6 +1,7 @@
 2011-06-08  Paul Eggert  <eggert@cs.ucla.edu>
 
 	* alloc.c (Fmake_bool_vector): Don't assume vector size fits in int.
+	(allocate_vectorlike): Check for ptrdiff_t overflow.
 
 	* alloc.c: Catch some string size overflows that we were missing.
 	(XMALLOC_OVERRUN_CHECK_SIZE) [!XMALLOC_OVERRUN_CHECK]: Define to 0,
diff --git a/src/alloc.c b/src/alloc.c
index 88542e86c48..2dbaef9b00b 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -2802,10 +2802,11 @@ allocate_vectorlike (EMACS_INT len)
 {
   struct Lisp_Vector *p;
   size_t nbytes;
+  ptrdiff_t nbytes_max = min (PTRDIFF_MAX, SIZE_MAX);
   int header_size = offsetof (struct Lisp_Vector, contents);
   int word_size = sizeof p->contents[0];
 
-  if ((SIZE_MAX - header_size) / word_size < len)
+  if ((nbytes_max - header_size) / word_size < len)
     memory_full (SIZE_MAX);
 
   MALLOC_BLOCK_INPUT;