Avoid crashes due to insanely large columns in tabulated-list-format

* src/xdisp.c (append_stretch_glyph, produce_xwidget_glyph)
(produce_image_glyph): Limit the pixel width of the produced glyph
to SHRT_MAX.  (Bug#23178)
(append_composite_glyph, append_glyph, append_glyphless_glyph):
Add assertions to verify that the pixel width of the glyph will
never overflow a 'short'.
* src/term.c (append_composite_glyph): Add assertion to verify
that the pixel width of the glyph will never overflow a 'short'.

diff --git a/src/term.c b/src/term.c
index a77e5729b5b1ef5dddf5c6658a257ef261220d05..43972109655ca360dfc3f8c32e95ee0b4ac680b2 100644 (file)
--- a/src/term.c
+++ b/src/term.c
@@ -1676,6 +1676,7 @@ append_composite_glyph (struct it *it)
          glyph = it->glyph_row->glyphs[it->area];
        }
       glyph->type = COMPOSITE_GLYPH;
+      eassert (it->pixel_width <= SHRT_MAX);
       glyph->pixel_width = it->pixel_width;
       glyph->u.cmp.id = it->cmp_it.id;
       if (it->cmp_it.ch < 0)

diff --git a/src/xdisp.c b/src/xdisp.c
index 5be94f0cd07dab4953a426934765809639ed9300..cc2c951ce5c17997470b5b0807940e839cc9b7e8 100644 (file)
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -25828,6 +25828,7 @@ append_glyph (struct it *it)
       glyph->object = it->object;
       if (it->pixel_width > 0)
        {
+         eassert (it->pixel_width <= SHRT_MAX);
          glyph->pixel_width = it->pixel_width;
          glyph->padding_p = false;
        }
@@ -25908,6 +25909,7 @@ append_composite_glyph (struct it *it)
        }
       glyph->charpos = it->cmp_it.charpos;
       glyph->object = it->object;
+      eassert (it->pixel_width <= SHRT_MAX);
       glyph->pixel_width = it->pixel_width;
       glyph->ascent = it->ascent;
       glyph->descent = it->descent;
@@ -26117,7 +26119,7 @@ produce_image_glyph (struct it *it)
        {
          glyph->charpos = CHARPOS (it->position);
          glyph->object = it->object;
-         glyph->pixel_width = it->pixel_width;
+         glyph->pixel_width = clip_to_bounds (-1, it->pixel_width, SHRT_MAX);
          glyph->ascent = glyph_ascent;
          glyph->descent = it->descent;
          glyph->voffset = it->voffset;
@@ -26221,7 +26223,7 @@ produce_xwidget_glyph (struct it *it)
        {
          glyph->charpos = CHARPOS (it->position);
          glyph->object = it->object;
-         glyph->pixel_width = it->pixel_width;
+         glyph->pixel_width = clip_to_bounds (-1, it->pixel_width, SHRT_MAX);
          glyph->ascent = glyph_ascent;
          glyph->descent = it->descent;
          glyph->voffset = it->voffset;
@@ -26307,7 +26309,9 @@ append_stretch_glyph (struct it *it, Lisp_Object object,
        }
       glyph->charpos = CHARPOS (it->position);
       glyph->object = object;
-      glyph->pixel_width = width;
+      /* FIXME: It would be better to use TYPE_MAX here, but
+        __typeof__ is not portable enough...  */
+      glyph->pixel_width = clip_to_bounds (-1, width, SHRT_MAX);
       glyph->ascent = ascent;
       glyph->descent = height - ascent;
       glyph->voffset = it->voffset;
@@ -26758,6 +26762,7 @@ append_glyphless_glyph (struct it *it, int face_id, bool for_no_font, int len,
        }
       glyph->charpos = CHARPOS (it->position);
       glyph->object = it->object;
+      eassert (it->pixel_width <= SHRT_MAX);
       glyph->pixel_width = it->pixel_width;
       glyph->ascent = it->ascent;
       glyph->descent = it->descent;