commit c51c29052ee4a356d345424249024c67c2ec05ae
from: Russ Cox <rsc@swtch.com>
date: Tue Jan 12 19:16:14 2010 UTC

ed: new append from rob, avoids overflow in pointer arithmetic

R=rsc
http://codereview.appspot.com/188041

commit - 68a6e0c0d03af1026f1b903bb071977543b7a939
commit + c51c29052ee4a356d345424249024c67c2ec05ae
blob - 77a0c27e7092b0972ed522833e894c4f02d25c48
blob + 79b90e7eb78b2fd07e7d27cf7fae859725b308a6
--- src/cmd/ed.c
+++ src/cmd/ed.c
@@ -829,33 +829,37 @@ putfile(void)
 int
 append(int (*f)(void), int *a)
 {
-	int *a1, *a2, *rdot, nline, tl;
+	int *a1, *a2, *rdot, nline, d;
 
 	nline = 0;
 	dot = a;
 	while((*f)() == 0) {
 		if((dol-zero) >= nlall) {
 			nlall += 512;
-			a1 = realloc(zero, (nlall+5)*sizeof(int*));
+			a1 = realloc(zero, (nlall+50)*sizeof(int*));
 			if(a1 == 0) {
 				error("MEM?");
 				rescue();
 			}
-			tl = a1 - zero;	/* relocate pointers */
-			zero += tl;
-			addr1 += tl;
-			addr2 += tl;
-			dol += tl;
-			dot += tl;
+			/* relocate pointers; avoid wraparound if sizeof(int) < sizeof(int*) */
+			d = addr1 - zero;
+			addr1 = a1 + d;
+			d = addr2 - zero;
+			addr2 = a1 + d;
+			d = dol - zero;
+			dol = a1 + d;
+			d = dot - zero;
+			dot = a1 + d;
+			zero = a1;
 		}
-		tl = putline();
+		d = putline();
 		nline++;
 		a1 = ++dol;
 		a2 = a1+1;
 		rdot = ++dot;
 		while(a1 > rdot)
 			*--a2 = *--a1;
-		*rdot = tl;
+		*rdot = d;
 	}
 	return nline;
 }