From c801946a9290fe742d87053615495e68d04ec6be Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 27 Sep 2011 08:56:04 -0700
Subject: [PATCH] * ccl.c (ccl_driver, Fregister_code_conversion_map): Check
 that Vcode_version_map_vector is a vector.

---
 src/ChangeLog |  4 +++-
 src/ccl.c     | 17 +++++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 9857461143a..696123c6c1d 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,4 +1,4 @@
-2011-09-26  Paul Eggert  <eggert@cs.ucla.edu>
+2011-09-27  Paul Eggert  <eggert@cs.ucla.edu>
 
 	* alloc.c (pure_bytes_used_lisp, pure_bytes_used_non_lisp):
 	(allocate_vectorlike, buffer_memory_full, struct sdata, SDATA_SIZE)
@@ -75,6 +75,8 @@
 	(ccl_driver):
 	Use ptrdiff_t, not EMACS_INT, where ptrdiff_t is wide enough.
 	For CCL_MapSingle, check that content and value are in int range.
+	(ccl_driver, Fregister_code_conversion_map):
+	Check that Vcode_version_map_vector is a vector.
 	(resolve_symbol_ccl_program): Check that vector header is in range.
 	Always copy the vector, so that we can check its contents reliably
 	now rather than having to recheck each instruction as it's being
diff --git a/src/ccl.c b/src/ccl.c
index ffd412bba3e..4764fa0f5b5 100644
--- a/src/ccl.c
+++ b/src/ccl.c
@@ -1371,7 +1371,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 
 		for (;i < j;i++)
 		  {
-
+		    if (!VECTORP (Vcode_conversion_map_vector)) continue;
 		    size = ASIZE (Vcode_conversion_map_vector);
 		    point = XINT (ccl_prog[ic++]);
 		    if (! (0 <= point && point < size)) continue;
@@ -1447,7 +1447,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 	    case CCL_MapMultiple:
 	      {
 		Lisp_Object map, content, attrib, value;
-		int point, size, map_vector_size;
+		EMACS_INT point;
+		ptrdiff_t size, map_vector_size;
 		int map_set_rest_length, fin_ic;
 		int current_ic = this_ic;
 
@@ -1530,6 +1531,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 			break;
 		      }
 		  }
+		if (!VECTORP (Vcode_conversion_map_vector))
+		  CCL_INVALID_CMD;
 		map_vector_size = ASIZE (Vcode_conversion_map_vector);
 
 		do {
@@ -1652,7 +1655,8 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 		int point;
 		j = XINT (ccl_prog[ic++]); /* map_id */
 		op = reg[rrr];
-		if (j >= ASIZE (Vcode_conversion_map_vector))
+		if (! (VECTORP (Vcode_conversion_map_vector)
+		       && j < ASIZE (Vcode_conversion_map_vector)))
 		  {
 		    reg[RRR] = -1;
 		    break;
@@ -1665,6 +1669,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 		  }
 		map = XCDR (map);
 		if (! (VECTORP (map)
+		       && 0 < ASIZE (map)
 		       && INTEGERP (AREF (map, 0))
 		       && XINT (AREF (map, 0)) <= op
 		       && op - XINT (AREF (map, 0)) + 1 < ASIZE (map)))
@@ -2257,12 +2262,16 @@ DEFUN ("register-code-conversion-map", Fregister_code_conversion_map,
 Return index number of the registered map.  */)
   (Lisp_Object symbol, Lisp_Object map)
 {
-  ptrdiff_t len = ASIZE (Vcode_conversion_map_vector);
+  ptrdiff_t len;
   ptrdiff_t i;
   Lisp_Object idx;
 
   CHECK_SYMBOL (symbol);
   CHECK_VECTOR (map);
+  if (! VECTORP (Vcode_conversion_map_vector))
+    error ("Invalid code-conversion-map-vector");
+
+  len = ASIZE (Vcode_conversion_map_vector);
 
   for (i = 0; i < len; i++)
     {
-- 
2.39.2