From dcd96745b0c505da5343549410fdab070ca72ff5 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Wed, 27 May 2020 09:50:07 -0700 Subject: [PATCH] Fix crash with invalid bytecode vectors MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * src/lread.c (read_vector): If the vector is to short to be for bytecodes don’t do bytecode processing for it, as the processing might run past the end of the vector. --- src/lread.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lread.c b/src/lread.c index 53b4e1be2df..29deddaf15f 100644 --- a/src/lread.c +++ b/src/lread.c @@ -3844,6 +3844,10 @@ read_vector (Lisp_Object readcharfun, bool bytecodeflag) ptrdiff_t size = list_length (tem); Lisp_Object vector = make_nil_vector (size); + /* Avoid accessing past the end of a vector if the vector is too + small to be valid for bytecode. */ + bytecodeflag &= COMPILED_STACK_DEPTH < size; + Lisp_Object *ptr = XVECTOR (vector)->contents; for (ptrdiff_t i = 0; i < size; i++) { -- 2.39.5