* ccl.c (ccl_driver, Fregister_code_conversion_map): Check that Vcode_version_map_vec...

diff --git a/src/ChangeLog b/src/ChangeLog
index 9857461143a3130132ad36db41cd7e8a73ad1ca7..696123c6c1d61bd211a8f48714425a039e696685 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,4 +1,4 @@
-2011-09-26  Paul Eggert  <eggert@cs.ucla.edu>
+2011-09-27  Paul Eggert  <eggert@cs.ucla.edu>
 
        * alloc.c (pure_bytes_used_lisp, pure_bytes_used_non_lisp):
        (allocate_vectorlike, buffer_memory_full, struct sdata, SDATA_SIZE)
@@ -75,6 +75,8 @@
        (ccl_driver):
        Use ptrdiff_t, not EMACS_INT, where ptrdiff_t is wide enough.
        For CCL_MapSingle, check that content and value are in int range.
+       (ccl_driver, Fregister_code_conversion_map):
+       Check that Vcode_version_map_vector is a vector.
        (resolve_symbol_ccl_program): Check that vector header is in range.
        Always copy the vector, so that we can check its contents reliably
        now rather than having to recheck each instruction as it's being

diff --git a/src/ccl.c b/src/ccl.c
index ffd412bba3e50909c9593149ecf17333d62b262d..4764fa0f5b5b09a59aa168a83bcb6c9a128bc227 100644 (file)
--- a/src/ccl.c
+++ b/src/ccl.c
@@ -1371,7 +1371,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 
                for (;i < j;i++)
                  {
-
+                   if (!VECTORP (Vcode_conversion_map_vector)) continue;
                    size = ASIZE (Vcode_conversion_map_vector);
                    point = XINT (ccl_prog[ic++]);
                    if (! (0 <= point && point < size)) continue;
@@ -1447,7 +1447,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
            case CCL_MapMultiple:
              {
                Lisp_Object map, content, attrib, value;
-               int point, size, map_vector_size;
+               EMACS_INT point;
+               ptrdiff_t size, map_vector_size;
                int map_set_rest_length, fin_ic;
                int current_ic = this_ic;
 
@@ -1530,6 +1531,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
                        break;
                      }
                  }
+               if (!VECTORP (Vcode_conversion_map_vector))
+                 CCL_INVALID_CMD;
                map_vector_size = ASIZE (Vcode_conversion_map_vector);
 
                do {
@@ -1652,7 +1655,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
                int point;
                j = XINT (ccl_prog[ic++]); /* map_id */
                op = reg[rrr];
-               if (j >= ASIZE (Vcode_conversion_map_vector))
+               if (! (VECTORP (Vcode_conversion_map_vector)
+                      && j < ASIZE (Vcode_conversion_map_vector)))
                  {
                    reg[RRR] = -1;
                    break;
@@ -1665,6 +1669,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
                  }
                map = XCDR (map);
                if (! (VECTORP (map)
+                      && 0 < ASIZE (map)
                       && INTEGERP (AREF (map, 0))
                       && XINT (AREF (map, 0)) <= op
                       && op - XINT (AREF (map, 0)) + 1 < ASIZE (map)))
@@ -2257,12 +2262,16 @@ DEFUN ("register-code-conversion-map", Fregister_code_conversion_map,
 Return index number of the registered map.  */)
   (Lisp_Object symbol, Lisp_Object map)
 {
-  ptrdiff_t len = ASIZE (Vcode_conversion_map_vector);
+  ptrdiff_t len;
   ptrdiff_t i;
   Lisp_Object idx;
 
   CHECK_SYMBOL (symbol);
   CHECK_VECTOR (map);
+  if (! VECTORP (Vcode_conversion_map_vector))
+    error ("Invalid code-conversion-map-vector");
+
+  len = ASIZE (Vcode_conversion_map_vector);
 
   for (i = 0; i < len; i++)
     {