From 599a9e4f7cec752078570160fe5498fe5799863a Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 15 Jun 2011 23:57:02 -0700 Subject: [PATCH] * insdel.c (replace_range): Fix buf overflow when insbytes < outgoing. --- src/ChangeLog | 2 ++ src/insdel.c | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index f7f18332288..e7ca102421d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,7 @@ 2011-06-16 Paul Eggert + * insdel.c (replace_range): Fix buf overflow when insbytes < outgoing. + * insdel.c, lisp.h (buffer_overflow): New function. (insert_from_buffer_1, replace_range, replace_range_2): * insdel.c (make_gap_larger): diff --git a/src/insdel.c b/src/insdel.c index 875274df8e4..ca53177a3e1 100644 --- a/src/insdel.c +++ b/src/insdel.c @@ -1354,8 +1354,8 @@ replace_range (EMACS_INT from, EMACS_INT to, Lisp_Object new, = count_size_as_multibyte (SDATA (new), insbytes); /* Make sure point-max won't overflow after this insertion. */ - XSETINT (temp, Z_BYTE - nbytes_del + insbytes); - if (Z_BYTE - nbytes_del + insbytes != XINT (temp)) + XSETINT (temp, Z_BYTE - nbytes_del + outgoing_insbytes); + if (Z_BYTE - nbytes_del + outgoing_insbytes != XINT (temp)) buffer_overflow (); GCPRO1 (new); @@ -1389,8 +1389,8 @@ replace_range (EMACS_INT from, EMACS_INT to, Lisp_Object new, if (Z - GPT < END_UNCHANGED) END_UNCHANGED = Z - GPT; - if (GAP_SIZE < insbytes) - make_gap (insbytes - GAP_SIZE); + if (GAP_SIZE < outgoing_insbytes) + make_gap (outgoing_insbytes - GAP_SIZE); /* Copy the string text into the buffer, perhaps converting between single-byte and multibyte. */ -- 2.11.4.GIT