From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.bugs
Subject: bug#9079: integer overflow etc. issues (e.g., image crashes Emacs)
Date: Fri, 15 Jul 2011 00:22:44 -0700
Organization: UCLA Computer Science Department
Message-ID: <4E1FEAC4.9000000@cs.ucla.edu>
References: <4E1EA0FB.5070903@cs.ucla.edu>
	<E1QhHZr-0007YT-29@fencepost.gnu.org>
	<4E1F675E.1020907@cs.ucla.edu> <83aacghz98.fsf@gnu.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Trace: dough.gmane.org 1310714615 23064 80.91.229.12 (15 Jul 2011 07:23:35 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Fri, 15 Jul 2011 07:23:35 +0000 (UTC)
Cc: 9079@debbugs.gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Jul 15 09:23:27 2011
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([140.186.70.17])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1QhckB-00035V-44
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 15 Jul 2011 09:23:27 +0200
Original-Received: from localhost ([::1]:49165 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Qhck9-0001rX-V8
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 15 Jul 2011 03:23:26 -0400
Original-Received: from eggs.gnu.org ([140.186.70.92]:48024)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Qhcjq-0001rL-Hm
	for bug-gnu-emacs@gnu.org; Fri, 15 Jul 2011 03:23:10 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Qhcjm-0000zQ-Na
	for bug-gnu-emacs@gnu.org; Fri, 15 Jul 2011 03:23:06 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:48904)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Qhcjm-0000zK-M5
	for bug-gnu-emacs@gnu.org; Fri, 15 Jul 2011 03:23:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1Qhcjl-00081t-SK; Fri, 15 Jul 2011 03:23:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Paul Eggert <eggert@cs.ucla.edu>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-To: owner@debbugs.gnu.org
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Fri, 15 Jul 2011 07:23:01 +0000
Resent-Message-ID: <handler.9079.B9079.131071458130862@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 9079
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 9079-submit@debbugs.gnu.org id=B9079.131071458130862
	(code B ref 9079); Fri, 15 Jul 2011 07:23:01 +0000
Original-Received: (at 9079) by debbugs.gnu.org; 15 Jul 2011 07:23:01 +0000
Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Qhcjh-00081c-9M
	for submit@debbugs.gnu.org; Fri, 15 Jul 2011 03:23:01 -0400
Original-Received: from smtp.cs.ucla.edu ([131.179.128.62])
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <eggert@cs.ucla.edu>) id 1Qhcjb-00081O-Gr
	for 9079@debbugs.gnu.org; Fri, 15 Jul 2011 03:22:55 -0400
Original-Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp.cs.ucla.edu (Postfix) with ESMTP id F1ABF39E80F7;
	Fri, 15 Jul 2011 00:22:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu
Original-Received: from smtp.cs.ucla.edu ([127.0.0.1])
	by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id NI6yWBF1iwSI; Fri, 15 Jul 2011 00:22:44 -0700 (PDT)
Original-Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net
	[71.189.109.235])
	by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 5244839E80F2;
	Fri, 15 Jul 2011 00:22:44 -0700 (PDT)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.2.17) Gecko/20110516 Thunderbird/3.1.10
In-Reply-To: <83aacghz98.fsf@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
Resent-Date: Fri, 15 Jul 2011 03:23:01 -0400
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: </archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:49110
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/49110>

On 07/14/11 22:46, Eli Zaretskii wrote:

> why is it a good idea to use ptrdiff_t instead of EMACS_INT?

Normally, ptrdiff_t and EMACS_INT are the same, but if --with-wide-int
is specified on a 32-bit host, ptrdiff_t is half the size of EMACS_INT
and is therefore more efficient.  That is, if a value is guaranteed
to fit within both ptrdiff_t and EMACS_INT ranges, then it's typically
better to store it in a ptrdiff_t variable.

> the bidi cache can never be longer than the longest Lisp
> string or buffer.  So having a cache longer than that is already a
> bug, and we should announce memory full when a Lisp integer overflows.

Thanks, I didn't know about that constraint.  More precisely, we
should announce memory full when either (1) the size of the longest
Lisp string or buffer is exceeded, or (2) the limits of the bidi
cache's underlying C representation are exceeded.  The code was
already doing (2) but it was not doing (1).

A further patch to do that is below.


* bidi.c (bidi_cache_ensure_space): Also check that the bidi cache size
does not exceed that of the largest Lisp string or buffer.  See Eli
Zaretskii in <http://debbugs.gnu.org/cgi/bugreport.cgi?bug=9079#29>.
=== modified file 'src/bidi.c'
--- src/bidi.c	2011-07-14 21:57:00 +0000
+++ src/bidi.c	2011-07-15 06:43:47 +0000
@@ -464,9 +464,16 @@
   if (idx >= bidi_cache_size)
     {
       ptrdiff_t new_size;
-      ptrdiff_t max_size =
-	min (PTRDIFF_MAX, SIZE_MAX) / elsz / BIDI_CACHE_CHUNK * BIDI_CACHE_CHUNK;
-      if (max_size <= idx)
+
+      /* The bidi cache cannot be larger than the largest Lisp string
+	 or buffer.  */
+      ptrdiff_t string_or_buffer_bound =
+	max (BUF_BYTES_MAX, STRING_BYTES_BOUND);
+
+      /* Also, it cannot be larger than what C can represent.  */
+      ptrdiff_t c_bound = min (PTRDIFF_MAX, SIZE_MAX) / elsz;
+
+      if (min (string_or_buffer_bound, c_bound) <= idx)
 	memory_full (SIZE_MAX);
       new_size = idx - idx % BIDI_CACHE_CHUNK + BIDI_CACHE_CHUNK;
       bidi_cache = (struct bidi_it *) xrealloc (bidi_cache, new_size * elsz);