check for integer overflow in vector reader syntax

Closes PR 12008

collects/tests/racket/basic.rktl

@@ -654,6 +654,9 @@
   (err/rt-test (make-string 500000000000000 #\f) exn:fail:out-of-memory?)) ;; bignum on 32-bit machines
 (err/rt-test (make-string 50000000000000000000 #\f) exn:fail:out-of-memory?)  ;; bignum on 64-bit machines
 
+(unless 64-bit-machine?
+  (err/rt-test (make-vector 1234567890 #\f) exn:fail:out-of-memory?)
+  (err/rt-test (read (open-input-string "#1234567890(0)")) exn:fail:out-of-memory?))
 
 (define f (make-string 3 #\*))
 (test "?**" 'string-set! (begin (string-set! f 0 #\?) f))

src/racket/src/vector.c

@@ -235,6 +235,7 @@ scheme_init_unsafe_vector (Scheme_Env *env)
 }
 
 #define VECTOR_BYTES(size) (sizeof(Scheme_Vector) + ((size) - 1) * sizeof(Scheme_Object *))
+#define REV_VECTOR_BYTES(size) (((size - sizeof(Scheme_Vector)) / sizeof(Scheme_Object *)) + 1)
 
 Scheme_Object *
 scheme_make_vector (intptr_t size, Scheme_Object *fill)
@@ -250,7 +251,13 @@ scheme_make_vector (intptr_t size, Scheme_Object *fill)
   if (size < 1024) {
     vec = (Scheme_Object *)scheme_malloc_tagged(VECTOR_BYTES(size));
   } else {
-    vec = (Scheme_Object *)scheme_malloc_fail_ok(scheme_malloc_tagged, VECTOR_BYTES(size));
+    size_t sz;
+    sz = VECTOR_BYTES(size);
+    if (REV_VECTOR_BYTES(sz) != size)
+      /* overflow */
+      scheme_raise_out_of_memory(NULL, NULL);
+    else
+      vec = (Scheme_Object *)scheme_malloc_fail_ok(scheme_malloc_tagged, sz);
   }
 
   vec->type = scheme_vector_type;
@@ -283,7 +290,7 @@ make_vector (int argc, Scheme_Object *argv[])
 
   if ((len == -1) 
       /* also watch for overflow: */
-      || ((intptr_t)VECTOR_BYTES(len) < len)) {
+      || (REV_VECTOR_BYTES(len) != len)) {
     scheme_raise_out_of_memory("make-vector", "making vector of length %s",
 			       scheme_make_provided_string(argv[0], 1, NULL));
   }