From ac0bb2b98f7d9704f57e71132a37823476aecaf3 Mon Sep 17 00:00:00 2001
From: Sam Tobin-Hochstadt <samth@racket-lang.org>
Date: Tue, 19 Jun 2012 13:02:21 -0400
Subject: [PATCH] Error checking in bytecode reader.

Found by:
    fuzz.rkt -s 912673274  -f collects/setup/compiled/xref_rkt.zo
    fuzz.rkt -s 568444835  -f collects/syntax/scribblings/compiled/strip-context_scrbl.zo
    fuzz.rkt -s 1009851773 -f collects/mred/private/wx/cocoa/compiled/platform_rkt.zo
---
 src/racket/src/marshal.c | 7 +++++--
 src/racket/src/read.c    | 5 +++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/racket/src/marshal.c b/src/racket/src/marshal.c
index 3809d7bebc..3f64d31266 100644
--- a/src/racket/src/marshal.c
+++ b/src/racket/src/marshal.c
@@ -1432,6 +1432,7 @@ static Scheme_Object *read_module(Scheme_Object *obj)
     obj = SCHEME_CDR(obj);
     nve = scheme_null;
     while (!SCHEME_NULLP(e)) {
+      if (!SCHEME_PAIRP(e)) return_NULL();
       ne = read_module(SCHEME_CAR(e));
       nve = scheme_make_pair(ne, nve);
       e = SCHEME_CDR(e);
@@ -1484,8 +1485,8 @@ static Scheme_Object *read_module(Scheme_Object *obj)
   cnt = SCHEME_INT_VAL(SCHEME_CAR(obj));
   obj = SCHEME_CDR(obj);
 
-  if (cnt < 1) return_NULL();
-
+  if (cnt < 1 || cnt > 1000) return_NULL();
+  
   m->num_phases = cnt;
   exp_infos = MALLOC_N(Scheme_Module_Export_Info *, cnt);
   while (cnt--) {
@@ -1499,6 +1500,8 @@ static Scheme_Object *read_module(Scheme_Object *obj)
   if (!SCHEME_PAIRP(obj)) return_NULL();
   cnt = SCHEME_INT_VAL(SCHEME_CAR(obj));
   obj = SCHEME_CDR(obj);
+
+  if (cnt < 1 || cnt > 1000) return_NULL();
   
   while (cnt--) {
     Scheme_Object *phase;
diff --git a/src/racket/src/read.c b/src/racket/src/read.c
index 45307291a9..47aee846da 100644
--- a/src/racket/src/read.c
+++ b/src/racket/src/read.c
@@ -5106,8 +5106,13 @@ static void read_module_directory(Scheme_Object *port, Scheme_Hash_Table *ht, in
                     "read (compiled): multi-module directory tree is imbalanced");
   
   len = read_simple_number_from_port(port);
+  if (len < 0) 
+    scheme_read_err(port, NULL, -1, -1, -1, -1, 0, NULL,
+                    "read (compiled): directory module name read failed");
+
   s = scheme_malloc_atomic(len + 1);
   got = scheme_get_bytes(port, len, s, 0);
+
   if (got != len)
     v = NULL;
   else {