From d8dd381fa781c236ae777ca1ac55b73d3ca91c2a Mon Sep 17 00:00:00 2001 From: Andy Wingo Date: Tue, 4 Aug 2009 20:29:09 +0200 Subject: [PATCH] fix buffer overrun reading partial numbers: 1.0f, 1.0/, and 1.0+ * libguile/numbers.c (mem2decimal_from_point, mem2ureal, mem2complex): Fix a number of cases where, for invalid numbers, we could read past the end of the buffer. This happened in e.g. "1.0+", "1/" and "1.0f". But I couldn't figure out how to test for these, given that the behavior depended on the contents of uninitialized memory in the reader buffer. We'll just have to be happy with this. Thanks to Kjetil S. Matheussen for the report. --- libguile/numbers.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/libguile/numbers.c b/libguile/numbers.c index 2e1635faf..919087669 100644 --- a/libguile/numbers.c +++ b/libguile/numbers.c @@ -2663,17 +2663,26 @@ mem2decimal_from_point (SCM result, const char* mem, size_t len, case 'l': case 'L': case 's': case 'S': idx++; + if (idx == len) + return SCM_BOOL_F; + start = idx; c = mem[idx]; if (c == '-') { idx++; + if (idx == len) + return SCM_BOOL_F; + sign = -1; c = mem[idx]; } else if (c == '+') { idx++; + if (idx == len) + return SCM_BOOL_F; + sign = 1; c = mem[idx]; } @@ -2789,8 +2798,10 @@ mem2ureal (const char* mem, size_t len, unsigned int *p_idx, SCM divisor; idx++; + if (idx == len) + return SCM_BOOL_F; - divisor = mem2uinteger (mem, len, &idx, radix, &x); + divisor = mem2uinteger (mem, len, &idx, radix, &x); if (scm_is_false (divisor)) return SCM_BOOL_F; @@ -2911,11 +2922,15 @@ mem2complex (const char* mem, size_t len, unsigned int idx, if (c == '+') { idx++; + if (idx == len) + return SCM_BOOL_F; sign = 1; } else if (c == '-') { idx++; + if (idx == len) + return SCM_BOOL_F; sign = -1; } else