From 76bbb0c92c0a9e2cadac9796e55fdd2836424fdb Mon Sep 17 00:00:00 2001 From: Peter Bex
Date: Sun, 28 May 2017 12:37:44 +0200 Subject: [PATCH] Fix segmentation fault in "length" on improper lists. This fixes #1375 --- NEWS | 2 ++ runtime.c | 2 +- tests/library-tests.scm | 6 ++++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 7e395ac..fc05da8 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,8 @@ - CVE-2017-6949: Remove unchecked malloc() call in SRFI-4 constructors when allocating in non-GC memory, resulting in potential 1-word buffer overrun and/or segfault (thanks to Lemonboy). + - "length" no longer crashes on improper lists + (fixes #1375, thanks to "megane"). - Core Libraries - Unit "posix": If file-lock, file-lock/blocking or file-unlock are diff --git a/runtime.c b/runtime.c index 86db413..7a513c2 100644 --- a/runtime.c +++ b/runtime.c @@ -5379,7 +5379,7 @@ C_regparm C_word C_fcall C_i_length(C_word lst) } } - if(C_immediatep(slow) || C_block_header(lst) != C_PAIR_TAG) + if(C_immediatep(slow) || C_block_header(slow) != C_PAIR_TAG) barf(C_NOT_A_PROPER_LIST_ERROR, "length", lst); slow = C_u_i_cdr(slow); diff --git a/tests/library-tests.scm b/tests/library-tests.scm index cd2f6e9..9c7cab4 100644 --- a/tests/library-tests.scm +++ b/tests/library-tests.scm @@ -693,3 +693,9 @@ A (assert (not (member "foo" '("bar")))) (assert (not (member "foo" '()))) (assert-fail (member "foo" "foo")) + + +;; length + +(assert-fail (length 1)) +(assert-fail (length '(x . y))) -- 2.1.4