From 1a4c6e69db6f8861271f14338ed67aaf12cbd4c5 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sat, 9 Jun 2018 17:17:55 -0700
Subject: [PATCH] Fix read buffer overrun on overflowed integers

* src/lread.c (read_integer): Fix off-by-1 buffer overrun
introduced in 2018-04-17T23:23:16Z!eggert@cs.ucla.edu.  The
bug could occur when Emacs read radixed integers containing
more than 100 digits.  Bug caught by AddressSanitizer.
---
 src/lread.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lread.c b/src/lread.c
index d2c7eae20f9..4229ff568be 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2680,8 +2680,8 @@ read_integer (Lisp_Object readcharfun, EMACS_INT radix)
 	    valid = 0;
 	  if (valid < 0)
 	    valid = 1;
-	  *p = c;
-	  p += p < buf + sizeof buf;
+	  if (p < buf + sizeof buf)
+	    *p++ = c;
 	  c = READCHAR;
 	}
 
-- 
2.39.2