* lread.c: Fix off-by-one error that can read outside a buffer.

2 files changed, 6 insertions, 3 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index 34914c96c6c..8e2ef5e0eb2 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,4 +1,4 @@
-2011-10-23  Paul Eggert  <eggert@cs.ucla.edu>
+2011-10-24  Paul Eggert  <eggert@cs.ucla.edu>
 
         Fix integer width and related bugs.
         * alloc.c (pure_bytes_used_lisp, pure_bytes_used_non_lisp):
@@ -495,6 +495,7 @@
         (openp): Check for out-of-range argument to 'access'.
         (read1): Use int, not EMACS_INT, where int is wide enough.
         Don't assume fixnum fits into int.
+        Fix off-by-one error that can read outside a buffer.
         (read_filtered_event): Use duration_to_sec_usec
         to do proper overflow checking on durations.
         * macros.c (Fstart_kbd_macro): Use xpalloc to check for overflow
diff --git a/src/lread.c b/src/lread.c
index 75d05a2b2f3..d7c5db3a02c 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2508,11 +2508,13 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
                   ptrdiff_t size;
 
                   tmp = read_vector (readcharfun, 0);
+                  size = ASIZE (tmp);
+                  if (size == 0)
+                    error ("Invalid size char-table");
                   if (! RANGED_INTEGERP (1, AREF (tmp, 0), 3))
                     error ("Invalid depth in char-table");
                   depth = XINT (AREF (tmp, 0));
-                  size = ASIZE (tmp) - 2;
-                  if (chartab_size [depth] != size)
+                  if (chartab_size[depth] != size - 2)
                     error ("Invalid size char-table");
                   XSETPVECTYPE (XVECTOR (tmp), PVEC_SUB_CHAR_TABLE);
                   return tmp;