From 6efdadfdbad817826a8c311f5e3fae449bcf0471 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 24 Oct 2011 14:57:02 -0700
Subject: [PATCH] * lread.c: Fix off-by-one error that can read outside a
 buffer.

---
 src/ChangeLog | 3 ++-
 src/lread.c   | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 34914c96c6c..8e2ef5e0eb2 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,4 +1,4 @@
-2011-10-23  Paul Eggert  <eggert@cs.ucla.edu>
+2011-10-24  Paul Eggert  <eggert@cs.ucla.edu>
 
 	Fix integer width and related bugs.
 	* alloc.c (pure_bytes_used_lisp, pure_bytes_used_non_lisp):
@@ -495,6 +495,7 @@
 	(openp): Check for out-of-range argument to 'access'.
 	(read1): Use int, not EMACS_INT, where int is wide enough.
 	Don't assume fixnum fits into int.
+	Fix off-by-one error that can read outside a buffer.
 	(read_filtered_event): Use duration_to_sec_usec
 	to do proper overflow checking on durations.
 	* macros.c (Fstart_kbd_macro): Use xpalloc to check for overflow
diff --git a/src/lread.c b/src/lread.c
index 75d05a2b2f3..d7c5db3a02c 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2508,11 +2508,13 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
 		  ptrdiff_t size;
 
 		  tmp = read_vector (readcharfun, 0);
+		  size = ASIZE (tmp);
+		  if (size == 0)
+		    error ("Invalid size char-table");
 		  if (! RANGED_INTEGERP (1, AREF (tmp, 0), 3))
 		    error ("Invalid depth in char-table");
 		  depth = XINT (AREF (tmp, 0));
-		  size = ASIZE (tmp) - 2;
-		  if (chartab_size [depth] != size)
+		  if (chartab_size[depth] != size - 2)
 		    error ("Invalid size char-table");
 		  XSETPVECTYPE (XVECTOR (tmp), PVEC_SUB_CHAR_TABLE);
 		  return tmp;
-- 
2.39.2