From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 10 Jun 2018 00:17:55 +0000 (-0700)
Subject: Fix read buffer overrun on overflowed integers
X-Git-Tag: emacs-27.0.90~4897
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=1a4c6e69db6f8861271f14338ed67aaf12cbd4c5;p=emacs.git

Fix read buffer overrun on overflowed integers

* src/lread.c (read_integer): Fix off-by-1 buffer overrun
introduced in 2018-04-17T23:23:16Z!eggert@cs.ucla.edu.  The
bug could occur when Emacs read radixed integers containing
more than 100 digits.  Bug caught by AddressSanitizer.
---

diff --git a/src/lread.c b/src/lread.c
index d2c7eae20f9..4229ff568be 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2680,8 +2680,8 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
 	    valid = 0;
 	  if (valid < 0)
 	    valid = 1;
-	  *p = c;
-	  p += p < buf + sizeof buf;
+	  if (p < buf + sizeof buf)
+	    *p++ = c;
 	  c = READCHAR;
 	}