From abcba32c262e575b562ec0e481e55538536f969f Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 10 Feb 2017 08:34:57 -0800
Subject: [PATCH] Fix a few integer-overflow glitches
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

* src/composite.c (composition_compute_stop_pos, composition_reseat_it):
* src/dispextern.h (struct composition_it.rule_idx):
* src/keyboard.c (Fset__this_command_keys):
* src/xwidget.c (webkit_js_to_lisp):
Don’t assume object sizes fit in ‘int’.
* src/xwidget.c (Fxwidget_resize):
Don’t assume Emacs integers fit in ‘int’.
---
 src/composite.c  | 89 ++++++++++++++++++++++++++------------------------------
 src/dispextern.h |  2 +-
 src/keyboard.c   |  2 +-
 src/xwidget.c    | 12 ++++----
 4 files changed, 50 insertions(+), 55 deletions(-)

diff --git a/src/composite.c b/src/composite.c
index f23bb17c57a..b673c53ac83 100644
--- a/src/composite.c
+++ b/src/composite.c
@@ -1012,7 +1012,7 @@ composition_compute_stop_pos (struct composition_it *cmp_it, ptrdiff_t charpos,
 	  val = CHAR_TABLE_REF (Vcomposition_function_table, c);
 	  if (! NILP (val))
 	    {
-	      for (int ridx = 0; CONSP (val); val = XCDR (val), ridx++)
+	      for (EMACS_INT ridx = 0; CONSP (val); val = XCDR (val), ridx++)
 		{
 		  Lisp_Object elt = XCAR (val);
 		  if (VECTORP (elt) && ASIZE (elt) == 3
@@ -1063,54 +1063,48 @@ composition_compute_stop_pos (struct composition_it *cmp_it, ptrdiff_t charpos,
       while (char_composable_p (c))
 	{
 	  val = CHAR_TABLE_REF (Vcomposition_function_table, c);
-	  if (! NILP (val))
+	  for (EMACS_INT ridx = 0; CONSP (val); val = XCDR (val), ridx++)
 	    {
-	      Lisp_Object elt;
-	      int ridx, blen;
-
-	      for (ridx = 0; CONSP (val); val = XCDR (val), ridx++)
+	      Lisp_Object elt = XCAR (val);
+	      if (VECTORP (elt) && ASIZE (elt) == 3
+		  && NATNUMP (AREF (elt, 1))
+		  && charpos - XFASTINT (AREF (elt, 1)) > endpos)
 		{
-		  elt = XCAR (val);
-		  if (VECTORP (elt) && ASIZE (elt) == 3
-		      && NATNUMP (AREF (elt, 1))
-		      && charpos - XFASTINT (AREF (elt, 1)) > endpos)
-		    {
-		      ptrdiff_t back = XFASTINT (AREF (elt, 1));
-		      ptrdiff_t cpos = charpos - back, bpos;
+		  ptrdiff_t back = XFASTINT (AREF (elt, 1));
+		  ptrdiff_t cpos = charpos - back, bpos;
 
-		      if (back == 0)
-			bpos = bytepos;
-		      else
-			bpos = (NILP (string) ? CHAR_TO_BYTE (cpos)
-				: string_char_to_byte (string, cpos));
-		      if (STRINGP (AREF (elt, 0)))
-			blen = fast_looking_at (AREF (elt, 0), cpos, bpos,
-						start + 1, limit, string);
-		      else
-			blen = 1;
-		      if (blen > 0)
+		  if (back == 0)
+		    bpos = bytepos;
+		  else
+		    bpos = (NILP (string) ? CHAR_TO_BYTE (cpos)
+			    : string_char_to_byte (string, cpos));
+		  ptrdiff_t blen
+		    = (STRINGP (AREF (elt, 0))
+		       ? fast_looking_at (AREF (elt, 0), cpos, bpos,
+					  start + 1, limit, string)
+		       : 1);
+		  if (blen > 0)
+		    {
+		      /* Make CPOS point to the last character of
+			 match.  Note that BLEN is byte-length.  */
+		      if (blen > 1)
+			{
+			  bpos += blen;
+			  if (NILP (string))
+			    cpos = BYTE_TO_CHAR (bpos) - 1;
+			  else
+			    cpos = string_byte_to_char (string, bpos) - 1;
+			}
+		      back = cpos - (charpos - back);
+		      if (cmp_it->stop_pos < cpos
+			  || (cmp_it->stop_pos == cpos
+			      && cmp_it->lookback < back))
 			{
-			  /* Make CPOS point to the last character of
-			     match.  Note that BLEN is byte-length.  */
-			  if (blen > 1)
-			    {
-			      bpos += blen;
-			      if (NILP (string))
-				cpos = BYTE_TO_CHAR (bpos) - 1;
-			      else
-				cpos = string_byte_to_char (string, bpos) - 1;
-			    }
-			  back = cpos - (charpos - back);
-			  if (cmp_it->stop_pos < cpos
-			      || (cmp_it->stop_pos == cpos
-				  && cmp_it->lookback < back))
-			    {
-			      cmp_it->rule_idx = ridx;
-			      cmp_it->stop_pos = cpos;
-			      cmp_it->ch = c;
-			      cmp_it->lookback = back;
-			      cmp_it->nchars = back + 1;
-			    }
+			  cmp_it->rule_idx = ridx;
+			  cmp_it->stop_pos = cpos;
+			  cmp_it->ch = c;
+			  cmp_it->lookback = back;
+			  cmp_it->nchars = back + 1;
 			}
 		    }
 		}
@@ -1203,10 +1197,10 @@ composition_reseat_it (struct composition_it *cmp_it, ptrdiff_t charpos,
     {
       Lisp_Object lgstring = Qnil;
       Lisp_Object val, elt;
-      ptrdiff_t i;
 
       val = CHAR_TABLE_REF (Vcomposition_function_table, cmp_it->ch);
-      for (i = 0; i < cmp_it->rule_idx; i++, val = XCDR (val));
+      for (EMACS_INT i = 0; i < cmp_it->rule_idx; i++, val = XCDR (val))
+	continue;
       if (charpos < endpos)
 	{
 	  for (; CONSP (val); val = XCDR (val))
@@ -1255,6 +1249,7 @@ composition_reseat_it (struct composition_it *cmp_it, ptrdiff_t charpos,
       if (NILP (LGSTRING_ID (lgstring)))
 	lgstring = composition_gstring_put_cache (lgstring, -1);
       cmp_it->id = XINT (LGSTRING_ID (lgstring));
+      int i;
       for (i = 0; i < LGSTRING_GLYPH_LEN (lgstring); i++)
 	if (NILP (LGSTRING_GLYPH (lgstring, i)))
 	  break;
diff --git a/src/dispextern.h b/src/dispextern.h
index eb71a82311c..e030618a9b7 100644
--- a/src/dispextern.h
+++ b/src/dispextern.h
@@ -2215,7 +2215,7 @@ struct composition_it
      the automatic composition.  Provided that ELT is an element of
      Vcomposition_function_table for CH, (nth ELT RULE_IDX) is the
      rule for the composition.  */
-  int rule_idx;
+  EMACS_INT rule_idx;
   /* If this is an automatic composition, how many characters to look
      back from the position where a character triggering the
      composition exists.  */
diff --git a/src/keyboard.c b/src/keyboard.c
index 168232203fe..ed8e71fd0a7 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -10020,7 +10020,7 @@ Internal use only.  */)
     add_command_key (make_number ('x' | meta_modifier));
   else
     add_command_key (make_number (key0));
-  for (int i = 1; i < SCHARS (keys); i++)
+  for (ptrdiff_t i = 1; i < SCHARS (keys); i++)
     add_command_key (make_number (SREF (keys, i)));
   return Qnil;
 }
diff --git a/src/xwidget.c b/src/xwidget.c
index 4ba1617d8df..5c276b1371c 100644
--- a/src/xwidget.c
+++ b/src/xwidget.c
@@ -301,13 +301,13 @@ webkit_js_to_lisp (JSContextRef context, JSValueRef value)
           {
             JSStringRef pname = JSStringCreateWithUTF8CString("length");
             JSValueRef len = JSObjectGetProperty (context, (JSObjectRef) value, pname, NULL);
-            int n = JSValueToNumber (context, len, NULL);
+            EMACS_INT n = JSValueToNumber (context, len, NULL);
             JSStringRelease(pname);
 
             Lisp_Object obj;
             struct Lisp_Vector *p = allocate_vector (n);
 
-            for (int i = 0; i < n; ++i)
+            for (ptrdiff_t i = 0; i < n; ++i)
               {
                 p->contents[i] =
                   webkit_js_to_lisp (context,
@@ -323,13 +323,13 @@ webkit_js_to_lisp (JSContextRef context, JSValueRef value)
             JSPropertyNameArrayRef properties =
               JSObjectCopyPropertyNames (context, (JSObjectRef) value);
 
-            int n = JSPropertyNameArrayGetCount (properties);
+            ptrdiff_t n = JSPropertyNameArrayGetCount (properties);
             Lisp_Object obj;
 
             /* TODO: can we use a regular list here?  */
             struct Lisp_Vector *p = allocate_vector (n);
 
-            for (int i = 0; i < n; ++i)
+            for (ptrdiff_t i = 0; i < n; ++i)
               {
                 JSStringRef name = JSPropertyNameArrayGetNameAtIndex (properties, i);
                 JSValueRef property = JSObjectGetProperty (context,
@@ -733,8 +733,8 @@ DEFUN ("xwidget-resize", Fxwidget_resize, Sxwidget_resize, 3, 3, 0,
   (Lisp_Object xwidget, Lisp_Object new_width, Lisp_Object new_height)
 {
   CHECK_XWIDGET (xwidget);
-  CHECK_NATNUM (new_width);
-  CHECK_NATNUM (new_height);
+  CHECK_RANGED_INTEGER (new_width, 0, INT_MAX);
+  CHECK_RANGED_INTEGER (new_height, 0, INT_MAX);
   struct xwidget *xw = XXWIDGET (xwidget);
   int w = XFASTINT (new_width);
   int h = XFASTINT (new_height);
-- 
2.11.4.GIT