diff options
author | Andy Wingo <wingo@pobox.com> | 2011-07-29 09:31:32 +0200 |
---|---|---|
committer | Andy Wingo <wingo@pobox.com> | 2011-07-29 09:31:32 +0200 |
commit | 99c6be814f06952e228b1610407faa9161a65cdf (patch) | |
tree | 45f8f61b6776a8ad5f5fb0389b529e407f52b313 | |
parent | b720f244942320731e1ceb67f3648143a3316b32 (diff) | |
download | guile-99c6be814f06952e228b1610407faa9161a65cdf.tar.gz |
fix write-beyond-end of an on-stack buffer while reading typed arrays
* libguile/unif.c (scm_i_read_array): Fix case in which we could write
beyond the end of `tag'. See
http://article.gmane.org/gmane.lisp.guile.devel/12685.
-rw-r--r-- | libguile/unif.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libguile/unif.c b/libguile/unif.c index daf085007..dd4e61711 100644 --- a/libguile/unif.c +++ b/libguile/unif.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1995,1996,1997,1998,2000,2001,2002,2003,2004, 2005, 2006 Free Software Foundation, Inc. +/* Copyright (C) 1995,1996,1997,1998,2000,2001,2002,2003,2004, 2005, 2006, 2011 Free Software Foundation, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -2722,7 +2722,7 @@ scm_i_read_array (SCM port, int c) */ tag_len = 0; continue_reading_tag: - while (c != EOF && c != '(' && c != '@' && c != ':' && tag_len < 80) + while (c != EOF && c != '(' && c != '@' && c != ':' && tag_len < 79) { tag[tag_len++] = c; c = scm_getc (port); |