diff options
| author | Paul Eggert | 2020-05-27 09:50:07 -0700 |
|---|---|---|
| committer | Paul Eggert | 2020-05-27 09:51:12 -0700 |
| commit | dcd96745b0c505da5343549410fdab070ca72ff5 (patch) | |
| tree | 5606a4dbbea3f3129b017d43d15e4edcde037214 /src | |
| parent | 9d11f127f15cc4dafcdb825dcfc6e495d729a069 (diff) | |
| download | emacs-dcd96745b0c505da5343549410fdab070ca72ff5.tar.gz emacs-dcd96745b0c505da5343549410fdab070ca72ff5.zip | |
Fix crash with invalid bytecode vectors
* src/lread.c (read_vector): If the vector is to short to be for
bytecodes don’t do bytecode processing for it, as the processing
might run past the end of the vector.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lread.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/lread.c b/src/lread.c index 53b4e1be2df..29deddaf15f 100644 --- a/src/lread.c +++ b/src/lread.c | |||
| @@ -3844,6 +3844,10 @@ read_vector (Lisp_Object readcharfun, bool bytecodeflag) | |||
| 3844 | ptrdiff_t size = list_length (tem); | 3844 | ptrdiff_t size = list_length (tem); |
| 3845 | Lisp_Object vector = make_nil_vector (size); | 3845 | Lisp_Object vector = make_nil_vector (size); |
| 3846 | 3846 | ||
| 3847 | /* Avoid accessing past the end of a vector if the vector is too | ||
| 3848 | small to be valid for bytecode. */ | ||
| 3849 | bytecodeflag &= COMPILED_STACK_DEPTH < size; | ||
| 3850 | |||
| 3847 | Lisp_Object *ptr = XVECTOR (vector)->contents; | 3851 | Lisp_Object *ptr = XVECTOR (vector)->contents; |
| 3848 | for (ptrdiff_t i = 0; i < size; i++) | 3852 | for (ptrdiff_t i = 0; i < size; i++) |
| 3849 | { | 3853 | { |