Fix read buffer overrun on overflowed integers

* src/lread.c (read_integer): Fix off-by-1 buffer overrun
introduced in 2018-04-17T23:23:16Z!eggert@cs.ucla.edu.  The
bug could occur when Emacs read radixed integers containing
more than 100 digits.  Bug caught by AddressSanitizer.

diff --git a/src/lread.c b/src/lread.c
index d2c7eae20f9c69e9c9d52212b85e2bdcfef1a914..4229ff568bee5416c11cd0ed2a7d20db50bc66cf 100644 (file)
--- a/src/lread.c
+++ b/src/lread.c
@@ -2680,8 +2680,8 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
            valid = 0;
          if (valid < 0)
            valid = 1;
-         *p = c;
-         p += p < buf + sizeof buf;
+         if (p < buf + sizeof buf)
+           *p++ = c;
          c = READCHAR;
        }