~ chicken-core (chicken-5) 075e58335f5c0a054b8f01f32de424b383a792f0
commit 075e58335f5c0a054b8f01f32de424b383a792f0
Author: Peter Bex <peter@more-magic.net>
AuthorDate: Sun May 28 12:37:44 2017 +0200
Commit: Evan Hanson <evhan@foldling.org>
CommitDate: Wed May 31 16:45:20 2017 +1200
Fix segmentation fault in "length" on improper lists.
This fixes #1375.
Signed-off-by: Evan Hanson <evhan@foldling.org>
diff --git a/NEWS b/NEWS
index 7e395acc..0207d1f4 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@
- CVE-2017-6949: Remove unchecked malloc() call in SRFI-4 constructors
when allocating in non-GC memory, resulting in potential 1-word
buffer overrun and/or segfault (thanks to Lemonboy).
+ - `length' no longer crashes on improper lists (fixes #1375, thanks to
+ "megane").
- Core Libraries
- Unit "posix": If file-lock, file-lock/blocking or file-unlock are
diff --git a/runtime.c b/runtime.c
index 86db413d..7a513c2e 100644
--- a/runtime.c
+++ b/runtime.c
@@ -5379,7 +5379,7 @@ C_regparm C_word C_fcall C_i_length(C_word lst)
}
}
- if(C_immediatep(slow) || C_block_header(lst) != C_PAIR_TAG)
+ if(C_immediatep(slow) || C_block_header(slow) != C_PAIR_TAG)
barf(C_NOT_A_PROPER_LIST_ERROR, "length", lst);
slow = C_u_i_cdr(slow);
diff --git a/tests/library-tests.scm b/tests/library-tests.scm
index cd2f6e96..b18fe7db 100644
--- a/tests/library-tests.scm
+++ b/tests/library-tests.scm
@@ -693,3 +693,8 @@ A
(assert (not (member "foo" '("bar"))))
(assert (not (member "foo" '())))
(assert-fail (member "foo" "foo"))
+
+;; length
+
+(assert-fail (length 1))
+(assert-fail (length '(x . y)))
Trap