Guard against potential buffer overflow in CORD_next and CORD_pos_fetch

* cord/cordbscs.c (CORD__pos_fetch, CORD__next): Call ABORT() if
CORD_pos_valid() returns false for the argument (do not compute pe
in this case).

1 files changed, 18 insertions, 7 deletions

diff --git a/cord/cordbscs.c b/cord/cordbscs.c
index a92ab639..1b4ec28b 100644
--- a/cord/cordbscs.c
+++ b/cord/cordbscs.c
@@ -780,19 +780,30 @@ void CORD__extend_path(CORD_pos p)
 char CORD__pos_fetch(CORD_pos p)
 {
     /* Leaf is a function node */
-    struct CORD_pe * pe = &((p)[0].path[(p)[0].path_len]);
-    CORD leaf = pe -> pe_cord;
-    struct Function * f = &(((CordRep *)leaf) -> function);
-
-    if (!IS_FUNCTION(leaf)) ABORT("CORD_pos_fetch: bad leaf");
+    struct CORD_pe * pe;
+    CORD leaf;
+    struct Function * f;
+
+    if (!CORD_pos_valid(p))
+        ABORT("CORD_pos_fetch: invalid argument");
+    pe = &p[0].path[p[0].path_len];
+    leaf = pe -> pe_cord;
+    if (!IS_FUNCTION(leaf))
+        ABORT("CORD_pos_fetch: bad leaf");
+    f = &((CordRep *)leaf)->function;
     return ((*(f -> fn))(p[0].cur_pos - pe -> pe_start_pos, f -> client_data));
 }
 
 void CORD__next(CORD_pos p)
 {
     size_t cur_pos = p[0].cur_pos + 1;
-    struct CORD_pe * current_pe = &((p)[0].path[(p)[0].path_len]);
-    CORD leaf = current_pe -> pe_cord;
+    struct CORD_pe * current_pe;
+    CORD leaf;
+
+    if (!CORD_pos_valid(p))
+        ABORT("CORD_next: invalid argument");
+    current_pe = &p[0].path[p[0].path_len];
+    leaf = current_pe -> pe_cord;
 
     /* Leaf is not a string or we're at end of leaf */
     p[0].cur_pos = cur_pos;