fix buffer overrun reading partial numbers: 1.0f, 1.0/, and 1.0+

* libguile/numbers.c (mem2decimal_from_point, mem2ureal, mem2complex):
  Fix a number of cases where, for invalid numbers, we could read past
  the end of the buffer. This happened in e.g. "1.0+", "1/" and "1.0f".
  But I couldn't figure out how to test for these, given that the
  behavior depended on the contents of uninitialized memory in the
  reader buffer. We'll just have to be happy with this.

Thanks to Kjetil S. Matheussen for the report.

1 files changed, 16 insertions, 1 deletions

diff --git a/libguile/numbers.c b/libguile/numbers.c
index 5f56b7a29..b4bff8142 100644
--- a/libguile/numbers.c
+++ b/libguile/numbers.c
@@ -2657,17 +2657,26 @@ mem2decimal_from_point (SCM result, const char* mem, size_t len,
 	case 'l': case 'L':
 	case 's': case 'S':
 	  idx++;
+          if (idx == len)
+            return SCM_BOOL_F;
+
 	  start = idx;
 	  c = mem[idx];
 	  if (c == '-')
 	    {
 	      idx++;
+              if (idx == len)
+                return SCM_BOOL_F;
+
 	      sign = -1;
 	      c = mem[idx];
 	    }
 	  else if (c == '+')
 	    {
 	      idx++;
+              if (idx == len)
+                return SCM_BOOL_F;
+
 	      sign = 1;
 	      c = mem[idx];
 	    }
@@ -2783,8 +2792,10 @@ mem2ureal (const char* mem, size_t len, unsigned int *p_idx,
 	  SCM divisor;
 
 	  idx++;
+          if (idx == len)
+            return SCM_BOOL_F;
 
-	  divisor = mem2uinteger (mem, len, &idx, radix, &x);
+          divisor = mem2uinteger (mem, len, &idx, radix, &x);
 	  if (scm_is_false (divisor))
 	    return SCM_BOOL_F;
 
@@ -2905,11 +2916,15 @@ mem2complex (const char* mem, size_t len, unsigned int idx,
 	      if (c == '+')
 		{
 		  idx++;
+                  if (idx == len)
+                    return SCM_BOOL_F;
 		  sign = 1;
 		}
 	      else if (c == '-')
 		{
 		  idx++;
+                  if (idx == len)
+                    return SCM_BOOL_F;
 		  sign = -1;
 		}
 	      else