Fix read buffer overrun on overflowed integers

* src/lread.c (read_integer): Fix off-by-1 buffer overrun introduced in 2018-04-17T23:23:16Z!eggert@cs.ucla.edu. The bug could occur when Emacs read radixed integers containing more than 100 digits. Bug caught by AddressSanitizer.
author: Paul Eggert 2018-06-09 17:17:55 -0700
committer: Paul Eggert 2018-06-09 17:18:29 -0700
commit: 1a4c6e69db6f8861271f14338ed67aaf12cbd4c5 (patch)
tree: 8a6de885acdb0a05009f1d9f630790fecdae16ff /src
parent: 89e2683d4430ffbe3bfe355ca389c349304bdcb9 (diff)
download: emacs-1a4c6e69db6f8861271f14338ed67aaf12cbd4c5.tar.gz
emacs-1a4c6e69db6f8861271f14338ed67aaf12cbd4c5.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lread.c b/src/lread.c
index d2c7eae20f9..4229ff568be 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2680,8 +2680,8 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
            valid = 0;
          if (valid < 0)
            valid = 1;
-          *p = c;
+          if (p < buf + sizeof buf)
-          p += p < buf + sizeof buf;
+            *p++ = c;
          c = READCHAR;
        }
author	Paul Eggert	2018-06-09 17:17:55 -0700
committer	Paul Eggert	2018-06-09 17:18:29 -0700
commit	1a4c6e69db6f8861271f14338ed67aaf12cbd4c5 (patch)
tree	8a6de885acdb0a05009f1d9f630790fecdae16ff /src
parent	89e2683d4430ffbe3bfe355ca389c349304bdcb9 (diff)
download	emacs-1a4c6e69db6f8861271f14338ed67aaf12cbd4c5.tar.gz emacs-1a4c6e69db6f8861271f14338ed67aaf12cbd4c5.zip

diff --git a/src/lread.c b/src/lread.c index d2c7eae20f9..4229ff568be 100644 --- a/src/lread.c +++ b/src/lread.c
@@ -2680,8 +2680,8 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
2680	valid = 0;	2680	valid = 0;
2681	if (valid < 0)	2681	if (valid < 0)
2682	valid = 1;	2682	valid = 1;
2683	*p = c;	2683	if (p < buf + sizeof buf)
2684	p += p < buf + sizeof buf;	2684	*p++ = c;
2685	c = READCHAR;	2685	c = READCHAR;
2686	}	2686	}
2687		2687