From 04e5b28ff1691345e023a944dc6a6a9e9573bd07 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Sat, 2 Dec 2017 21:31:24 -0800 Subject: [PATCH] Fix bug in i18n/l10n optimization This fixes a off-by-one buffer overrun bug introduced in 2017-06-04T15:39:37Z!eggert@cs.ucla.edu. Problem uncovered by an experimental version of Emacs built with -fcheck-pointer-bounds and running on Intel MPX hardware. * src/editfns.c (styled_format): Avoid overrunning internal buffers. --- src/editfns.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/editfns.c b/src/editfns.c index f275f33fc52..f7c26b900a0 100644 --- a/src/editfns.c +++ b/src/editfns.c @@ -4919,7 +4919,7 @@ styled_format (ptrdiff_t nargs, Lisp_Object *args, bool message) else if (discarded[bytepos] == 1) { position++; - if (translated == info[fieldn].start) + if (fieldn < nspec && translated == info[fieldn].start) { translated += info[fieldn].end - info[fieldn].start; fieldn++; @@ -4939,7 +4939,7 @@ styled_format (ptrdiff_t nargs, Lisp_Object *args, bool message) else if (discarded[bytepos] == 1) { position++; - if (translated == info[fieldn].start) + if (fieldn < nspec && translated == info[fieldn].start) { translated += info[fieldn].end - info[fieldn].start; fieldn++; -- 2.39.2