Mercurial > vim
comparison src/memfile.c @ 27453:c7f614c9ceb3 v8.2.4255
patch 8.2.4255: theoretical computation overflow
Commit: https://github.com/vim/vim/commit/d5cec1f1f055316c353cfa15ad8d5eb0952d50a0
Author: =?UTF-8?q?Dundar=20G=C3=B6c?= <gocdundar@gmail.com>
Date: Sat Jan 29 15:19:23 2022 +0000
patch 8.2.4255: theoretical computation overflow
Problem: Theoretical computation overflow.
Solution: Perform multiplication in a wider type. (closes https://github.com/vim/vim/issues/9657)
| author | Bram Moolenaar <Bram@vim.org> |
|---|---|
| date | Sat, 29 Jan 2022 16:30:03 +0100 |
| parents | aa65d1808bd0 |
| children | 7a64222fad8e |
comparison
equal
deleted
inserted
replaced
| 27452:81af1f0ff8ce | 27453:c7f614c9ceb3 |
|---|---|
| 247 if (del_file && mfp->mf_fname != NULL) | 247 if (del_file && mfp->mf_fname != NULL) |
| 248 mch_remove(mfp->mf_fname); | 248 mch_remove(mfp->mf_fname); |
| 249 // free entries in used list | 249 // free entries in used list |
| 250 for (hp = mfp->mf_used_first; hp != NULL; hp = nextp) | 250 for (hp = mfp->mf_used_first; hp != NULL; hp = nextp) |
| 251 { | 251 { |
| 252 total_mem_used -= hp->bh_page_count * mfp->mf_page_size; | 252 total_mem_used -= (long_u)hp->bh_page_count * mfp->mf_page_size; |
| 253 nextp = hp->bh_next; | 253 nextp = hp->bh_next; |
| 254 mf_free_bhdr(hp); | 254 mf_free_bhdr(hp); |
| 255 } | 255 } |
| 256 while (mfp->mf_free_first != NULL) // free entries in free list | 256 while (mfp->mf_free_first != NULL) // free entries in free list |
| 257 vim_free(mf_rem_free(mfp)); | 257 vim_free(mf_rem_free(mfp)); |
| 357 freep->bh_bnum += page_count; | 357 freep->bh_bnum += page_count; |
| 358 freep->bh_page_count -= page_count; | 358 freep->bh_page_count -= page_count; |
| 359 } | 359 } |
| 360 else if (hp == NULL) // need to allocate memory for this block | 360 else if (hp == NULL) // need to allocate memory for this block |
| 361 { | 361 { |
| 362 if ((p = alloc(mfp->mf_page_size * page_count)) == NULL) | 362 if ((p = alloc((size_t)mfp->mf_page_size * page_count)) == NULL) |
| 363 return NULL; | 363 return NULL; |
| 364 hp = mf_rem_free(mfp); | 364 hp = mf_rem_free(mfp); |
| 365 hp->bh_data = p; | 365 hp->bh_data = p; |
| 366 } | 366 } |
| 367 else // use the number, remove entry from free list | 367 else // use the number, remove entry from free list |
| 716 if (hp->bh_next == NULL) // list was empty, adjust last pointer | 716 if (hp->bh_next == NULL) // list was empty, adjust last pointer |
| 717 mfp->mf_used_last = hp; | 717 mfp->mf_used_last = hp; |
| 718 else | 718 else |
| 719 hp->bh_next->bh_prev = hp; | 719 hp->bh_next->bh_prev = hp; |
| 720 mfp->mf_used_count += hp->bh_page_count; | 720 mfp->mf_used_count += hp->bh_page_count; |
| 721 total_mem_used += hp->bh_page_count * mfp->mf_page_size; | 721 total_mem_used += (long_u)hp->bh_page_count * mfp->mf_page_size; |
| 722 } | 722 } |
| 723 | 723 |
| 724 /* | 724 /* |
| 725 * remove block *hp from used list of memfile *mfp | 725 * remove block *hp from used list of memfile *mfp |
| 726 */ | 726 */ |
| 734 if (hp->bh_prev == NULL) // first block in used list | 734 if (hp->bh_prev == NULL) // first block in used list |
| 735 mfp->mf_used_first = hp->bh_next; | 735 mfp->mf_used_first = hp->bh_next; |
| 736 else | 736 else |
| 737 hp->bh_prev->bh_next = hp->bh_next; | 737 hp->bh_prev->bh_next = hp->bh_next; |
| 738 mfp->mf_used_count -= hp->bh_page_count; | 738 mfp->mf_used_count -= hp->bh_page_count; |
| 739 total_mem_used -= hp->bh_page_count * mfp->mf_page_size; | 739 total_mem_used -= (long_u)hp->bh_page_count * mfp->mf_page_size; |
| 740 } | 740 } |
| 741 | 741 |
| 742 /* | 742 /* |
| 743 * Release the least recently used block from the used list if the number | 743 * Release the least recently used block from the used list if the number |
| 744 * of used memory blocks gets to big. | 744 * of used memory blocks gets to big. |
| 812 * right | 812 * right |
| 813 */ | 813 */ |
| 814 if (hp->bh_page_count != page_count) | 814 if (hp->bh_page_count != page_count) |
| 815 { | 815 { |
| 816 vim_free(hp->bh_data); | 816 vim_free(hp->bh_data); |
| 817 if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL) | 817 if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count)) |
| 818 == NULL) | |
| 818 { | 819 { |
| 819 vim_free(hp); | 820 vim_free(hp); |
| 820 return NULL; | 821 return NULL; |
| 821 } | 822 } |
| 822 hp->bh_page_count = page_count; | 823 hp->bh_page_count = page_count; |
| 879 { | 880 { |
| 880 bhdr_T *hp; | 881 bhdr_T *hp; |
| 881 | 882 |
| 882 if ((hp = ALLOC_ONE(bhdr_T)) != NULL) | 883 if ((hp = ALLOC_ONE(bhdr_T)) != NULL) |
| 883 { | 884 { |
| 884 if ((hp->bh_data = alloc(mfp->mf_page_size * page_count)) == NULL) | 885 if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count)) |
| 886 == NULL) | |
| 885 { | 887 { |
| 886 vim_free(hp); // not enough memory | 888 vim_free(hp); // not enough memory |
| 887 return NULL; | 889 return NULL; |
| 888 } | 890 } |
| 889 hp->bh_page_count = page_count; | 891 hp->bh_page_count = page_count; |