* lread.c: Fix off-by-one error that can read outside a buffer.

diff --git a/src/ChangeLog b/src/ChangeLog
index 34914c9..8e2ef5e 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,4 +1,4 @@
-2011-10-23  Paul Eggert  <eggert@cs.ucla.edu>
+2011-10-24  Paul Eggert  <eggert@cs.ucla.edu>
 
        Fix integer width and related bugs.
        * alloc.c (pure_bytes_used_lisp, pure_bytes_used_non_lisp):
@@ -495,6 +495,7 @@
        (openp): Check for out-of-range argument to 'access'.
        (read1): Use int, not EMACS_INT, where int is wide enough.
        Don't assume fixnum fits into int.
+       Fix off-by-one error that can read outside a buffer.
        (read_filtered_event): Use duration_to_sec_usec
        to do proper overflow checking on durations.
        * macros.c (Fstart_kbd_macro): Use xpalloc to check for overflow

diff --git a/src/lread.c b/src/lread.c
index 75d05a2..d7c5db3 100644 (file)
--- a/src/lread.c
+++ b/src/lread.c
@@ -2508,11 +2508,13 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
                  ptrdiff_t size;
 
                  tmp = read_vector (readcharfun, 0);
+                 size = ASIZE (tmp);
+                 if (size == 0)
+                   error ("Invalid size char-table");
                  if (! RANGED_INTEGERP (1, AREF (tmp, 0), 3))
                    error ("Invalid depth in char-table");
                  depth = XINT (AREF (tmp, 0));
-                 size = ASIZE (tmp) - 2;
-                 if (chartab_size [depth] != size)
+                 if (chartab_size[depth] != size - 2)
                    error ("Invalid size char-table");
                  XSETPVECTYPE (XVECTOR (tmp), PVEC_SUB_CHAR_TABLE);
                  return tmp;