From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 3 Dec 2017 05:31:24 +0000 (-0800)
Subject: Fix bug in i18n/l10n optimization
X-Git-Tag: emacs-26.0.91~196
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=04e5b28;p=emacs.git

Fix bug in i18n/l10n optimization

This fixes a off-by-one buffer overrun bug introduced in
2017-06-04T15:39:37Z!eggert@cs.ucla.edu.  Problem uncovered by an
experimental version of Emacs built with -fcheck-pointer-bounds
and running on Intel MPX hardware.
* src/editfns.c (styled_format): Avoid overrunning internal buffers.
---

diff --git a/src/editfns.c b/src/editfns.c
index f275f33fc52..f7c26b900a0 100644
--- a/src/editfns.c
+++ b/src/editfns.c
@@ -4919,7 +4919,7 @@ styled_format (ptrdiff_t nargs, Lisp_Object *args, bool message)
 		  else if (discarded[bytepos] == 1)
 		    {
 		      position++;
-		      if (translated == info[fieldn].start)
+		      if (fieldn < nspec && translated == info[fieldn].start)
 			{
 			  translated += info[fieldn].end - info[fieldn].start;
 			  fieldn++;
@@ -4939,7 +4939,7 @@ styled_format (ptrdiff_t nargs, Lisp_Object *args, bool message)
 		  else if (discarded[bytepos] == 1)
 		    {
 		      position++;
-		      if (translated == info[fieldn].start)
+		      if (fieldn < nspec && translated == info[fieldn].start)
 			{
 			  translated += info[fieldn].end - info[fieldn].start;
 			  fieldn++;