Fix bug in i18n/l10n optimization

This fixes a off-by-one buffer overrun bug introduced in
2017-06-04T15:39:37Z!eggert@cs.ucla.edu.  Problem uncovered by an
experimental version of Emacs built with -fcheck-pointer-bounds
and running on Intel MPX hardware.
* src/editfns.c (styled_format): Avoid overrunning internal buffers.

diff --git a/src/editfns.c b/src/editfns.c
index f275f33fc52fab487169850b578d9f7689a87a35..f7c26b900a065af50d8e9cdab46f942036a07f6d 100644 (file)
--- a/src/editfns.c
+++ b/src/editfns.c
@@ -4919,7 +4919,7 @@ styled_format (ptrdiff_t nargs, Lisp_Object *args, bool message)
                  else if (discarded[bytepos] == 1)
                    {
                      position++;
-                     if (translated == info[fieldn].start)
+                     if (fieldn < nspec && translated == info[fieldn].start)
                        {
                          translated += info[fieldn].end - info[fieldn].start;
                          fieldn++;
@@ -4939,7 +4939,7 @@ styled_format (ptrdiff_t nargs, Lisp_Object *args, bool message)
                  else if (discarded[bytepos] == 1)
                    {
                      position++;
-                     if (translated == info[fieldn].start)
+                     if (fieldn < nspec && translated == info[fieldn].start)
                        {
                          translated += info[fieldn].end - info[fieldn].start;
                          fieldn++;