fix buffer overrun reading partial numbers: 1.0f, 1.0/, and 1.0+

* libguile/numbers.c (mem2decimal_from_point, mem2ureal, mem2complex): Fix a number of cases where, for invalid numbers, we could read past the end of the buffer. This happened in e.g. "1.0+", "1/" and "1.0f". But I couldn't figure out how to test for these, given that the behavior depended on the contents of uninitialized memory in the reader buffer. We'll just have to be happy with this. Thanks to Kjetil S. Matheussen for the report.
2025-05-09 15:10:29 +02:00 · 2009-08-04 20:29:09 +02:00 · 2009-08-04 20:29:09 +02:00 · d8dd381fa7
commit d8dd381fa7
parent 240a7800d0
1 changed files with 16 additions and 1 deletions
--- a/libguile/numbers.c
+++ b/libguile/numbers.c
@ -2663,17 +2663,26 @@ mem2decimal_from_point (SCM result, const char* mem, size_t len,
 	case 'l': case 'L':
 	case 's': case 'S':
 	  idx++;
+          if (idx == len)
+            return SCM_BOOL_F;
+
 	  start = idx;
 	  c = mem[idx];
 	  if (c == '-')
 	    {
 	      idx++;
+              if (idx == len)
+                return SCM_BOOL_F;
+
 	      sign = -1;
 	      c = mem[idx];
 	    }
 	  else if (c == '+')
 	    {
 	      idx++;
+              if (idx == len)
+                return SCM_BOOL_F;
+
 	      sign = 1;
 	      c = mem[idx];
 	    }
@ -2789,6 +2798,8 @@ mem2ureal (const char* mem, size_t len, unsigned int *p_idx,
 	  SCM divisor;

 	  idx++;
+          if (idx == len)
+            return SCM_BOOL_F;

          divisor = mem2uinteger (mem, len, &idx, radix, &x);
 	  if (scm_is_false (divisor))
@ -2911,11 +2922,15 @@ mem2complex (const char* mem, size_t len, unsigned int idx,
 	      if (c == '+')
 		{
 		  idx++;
+                  if (idx == len)
+                    return SCM_BOOL_F;
 		  sign = 1;
 		}
 	      else if (c == '-')
 		{
 		  idx++;
+                  if (idx == len)
+                    return SCM_BOOL_F;
 		  sign = -1;
 		}
 	      else