From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 27 May 2020 16:50:07 +0000 (-0700)
Subject: Fix crash with invalid bytecode vectors
X-Git-Tag: emacs-28.0.90~7267
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=dcd96745b0c505da5343549410fdab070ca72ff5;p=emacs.git

Fix crash with invalid bytecode vectors

* src/lread.c (read_vector): If the vector is to short to be for
bytecodes don’t do bytecode processing for it, as the processing
might run past the end of the vector.
---

diff --git a/src/lread.c b/src/lread.c
index 53b4e1be2df..29deddaf15f 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -3844,6 +3844,10 @@ read_vector (Lisp_Object readcharfun, bool bytecodeflag)
   ptrdiff_t size = list_length (tem);
   Lisp_Object vector = make_nil_vector (size);
 
+  /* Avoid accessing past the end of a vector if the vector is too
+     small to be valid for bytecode.  */
+  bytecodeflag &= COMPILED_STACK_DEPTH < size;
+
   Lisp_Object *ptr = XVECTOR (vector)->contents;
   for (ptrdiff_t i = 0; i < size; i++)
     {