From 99c6be814f06952e228b1610407faa9161a65cdf Mon Sep 17 00:00:00 2001
From: Andy Wingo <wingo@pobox.com>
Date: Fri, 29 Jul 2011 09:31:32 +0200
Subject: [PATCH] fix write-beyond-end of an on-stack buffer while reading
 typed arrays

* libguile/unif.c (scm_i_read_array): Fix case in which we could write
  beyond the end of `tag'.  See
  http://article.gmane.org/gmane.lisp.guile.devel/12685.
---
 libguile/unif.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libguile/unif.c b/libguile/unif.c
index daf085007..dd4e61711 100644
--- a/libguile/unif.c
+++ b/libguile/unif.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 1995,1996,1997,1998,2000,2001,2002,2003,2004, 2005, 2006 Free Software Foundation, Inc.
+/* Copyright (C) 1995,1996,1997,1998,2000,2001,2002,2003,2004, 2005, 2006, 2011 Free Software Foundation, Inc.
  * 
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -2722,7 +2722,7 @@ scm_i_read_array (SCM port, int c)
    */
   tag_len = 0;
  continue_reading_tag:
-  while (c != EOF && c != '(' && c != '@' && c != ':' && tag_len < 80)
+  while (c != EOF && c != '(' && c != '@' && c != ':' && tag_len < 79)
     {
       tag[tag_len++] = c;
       c = scm_getc (port);