From: Eli Zaretskii <eliz@gnu.org>
Date: Fri, 1 Apr 2016 09:47:29 +0000 (+0300)
Subject: Avoid crashes due to insanely large columns in tabulated-list-format
X-Git-Tag: emacs-25.0.93~84
X-Git-Url: https://code.delx.au/gnu-emacs/commitdiff_plain/b3b523cdd66c53677c39f743a18e4c180c2ec248

Avoid crashes due to insanely large columns in tabulated-list-format

* src/xdisp.c (append_stretch_glyph, produce_xwidget_glyph)
(produce_image_glyph): Limit the pixel width of the produced glyph
to SHRT_MAX.  (Bug#23178)
(append_composite_glyph, append_glyph, append_glyphless_glyph):
Add assertions to verify that the pixel width of the glyph will
never overflow a 'short'.
* src/term.c (append_composite_glyph): Add assertion to verify
that the pixel width of the glyph will never overflow a 'short'.
---

diff --git a/src/term.c b/src/term.c
index a77e5729b5..4397210965 100644
--- a/src/term.c
+++ b/src/term.c
@@ -1676,6 +1676,7 @@ append_composite_glyph (struct it *it)
 	  glyph = it->glyph_row->glyphs[it->area];
 	}
       glyph->type = COMPOSITE_GLYPH;
+      eassert (it->pixel_width <= SHRT_MAX);
       glyph->pixel_width = it->pixel_width;
       glyph->u.cmp.id = it->cmp_it.id;
       if (it->cmp_it.ch < 0)
diff --git a/src/xdisp.c b/src/xdisp.c
index 5be94f0cd0..cc2c951ce5 100644
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -25828,6 +25828,7 @@ append_glyph (struct it *it)
       glyph->object = it->object;
       if (it->pixel_width > 0)
 	{
+	  eassert (it->pixel_width <= SHRT_MAX);
 	  glyph->pixel_width = it->pixel_width;
 	  glyph->padding_p = false;
 	}
@@ -25908,6 +25909,7 @@ append_composite_glyph (struct it *it)
 	}
       glyph->charpos = it->cmp_it.charpos;
       glyph->object = it->object;
+      eassert (it->pixel_width <= SHRT_MAX);
       glyph->pixel_width = it->pixel_width;
       glyph->ascent = it->ascent;
       glyph->descent = it->descent;
@@ -26117,7 +26119,7 @@ produce_image_glyph (struct it *it)
 	{
 	  glyph->charpos = CHARPOS (it->position);
 	  glyph->object = it->object;
-	  glyph->pixel_width = it->pixel_width;
+	  glyph->pixel_width = clip_to_bounds (-1, it->pixel_width, SHRT_MAX);
 	  glyph->ascent = glyph_ascent;
 	  glyph->descent = it->descent;
 	  glyph->voffset = it->voffset;
@@ -26221,7 +26223,7 @@ produce_xwidget_glyph (struct it *it)
 	{
 	  glyph->charpos = CHARPOS (it->position);
 	  glyph->object = it->object;
-	  glyph->pixel_width = it->pixel_width;
+	  glyph->pixel_width = clip_to_bounds (-1, it->pixel_width, SHRT_MAX);
 	  glyph->ascent = glyph_ascent;
 	  glyph->descent = it->descent;
 	  glyph->voffset = it->voffset;
@@ -26307,7 +26309,9 @@ append_stretch_glyph (struct it *it, Lisp_Object object,
 	}
       glyph->charpos = CHARPOS (it->position);
       glyph->object = object;
-      glyph->pixel_width = width;
+      /* FIXME: It would be better to use TYPE_MAX here, but
+	 __typeof__ is not portable enough...  */
+      glyph->pixel_width = clip_to_bounds (-1, width, SHRT_MAX);
       glyph->ascent = ascent;
       glyph->descent = height - ascent;
       glyph->voffset = it->voffset;
@@ -26758,6 +26762,7 @@ append_glyphless_glyph (struct it *it, int face_id, bool for_no_font, int len,
 	}
       glyph->charpos = CHARPOS (it->position);
       glyph->object = it->object;
+      eassert (it->pixel_width <= SHRT_MAX);
       glyph->pixel_width = it->pixel_width;
       glyph->ascent = it->ascent;
       glyph->descent = it->descent;