A 'read' function may only read as many bytes as the size of the
buffer passed into it, but the caller didn't check, which made an
actual violation of this invariant hard to diagnose.
---
src/language/lexer/lexer.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/src/language/lexer/lexer.c b/src/language/lexer/lexer.c
index e72a3e4..1caadac 100644
--- a/src/language/lexer/lexer.c
+++ b/src/language/lexer/lexer.c
@@ -1209,14 +1209,18 @@ lex_source_read__ (struct lex_source *src)
do
{
size_t head_ofs;
+ size_t space;
size_t n;
lex_source_expand__ (src);
head_ofs = src->head - src->tail;
+ space = src->allocated - head_ofs;
n = src->reader->class->read (src->reader, &src->buffer[head_ofs],
- src->allocated - head_ofs,
+ space,
segmenter_get_prompt (&src->segmenter));
+ assert (n <= space);
+
if (n == 0)
{
/* End of input.
--
1.7.2.5
_______________________________________________
pspp-dev mailing list
pspp-dev@gnu.org
https://lists.gnu.org/mailman/listinfo/pspp-dev
