From 2cfd65e972114ba273eff8ea861052796434e3d1 Mon Sep 17 00:00:00 2001 From: Matthew Flatt Date: Fri, 1 Jun 2018 06:03:33 +0800 Subject: [PATCH] defend against bad bytecode Closes #2107 --- racket/src/racket/src/read.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/racket/src/racket/src/read.c b/racket/src/racket/src/read.c index 959a01b44b..79721e9866 100644 --- a/racket/src/racket/src/read.c +++ b/racket/src/racket/src/read.c @@ -3078,11 +3078,13 @@ static Scheme_Object *read_compact(CPort *port, int use_stack) pf = (Scheme_Prefix *)read_compact(port, 0); } - if ((pos < 0) || (pos >= pf->num_slots)) + if (!SAME_TYPE(SCHEME_TYPE(pf), scheme_prefix_type) || (pos < 0) || (pos >= pf->num_slots)) scheme_ill_formed_code(port); flags &= SCHEME_TOPLEVEL_FLAGS_MASK; i = ((pos << SCHEME_LOG_TOPLEVEL_FLAG_MASK) | flags); + if ((i < 0) || (i >= (pf->num_slots * (SCHEME_TOPLEVEL_FLAGS_MASK + 1)))) + scheme_ill_formed_code(port); tl = ((Scheme_Object **)pf->a[pf->num_slots-1])[i]; if (!tl) {