~ chicken-core (chicken-5) 3a15b29109f5a7269f68189261d4e68664b8b63e

commit 3a15b29109f5a7269f68189261d4e68664b8b63e
Author:     Peter Bex <peter@more-magic.net>
AuthorDate: Thu Sep 10 20:45:33 2015 +0200
Commit:     Peter Bex <peter@more-magic.net>
CommitDate: Thu Sep 10 20:45:33 2015 +0200

    Fix unsafe specializations in types.db
    
    This patch fixes some specializations in types.db which could lead to
    unsafe code. In all cases, the specialized versions did not only elide
    runtime type checks but also range checks for their arguments. For
    example, `string-ref' could have been specialized so that it would allow
    for an index pointing past the end of the string to be passed.
    
    Fixes #1216.
    
    Signed-off-by: Peter Bex <peter@more-magic.net>
    
    Conflicts:
            types.db

diff --git a/NEWS b/NEWS
index 4357b6dc..fc7c0c6c 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,11 @@
 
 4.10.2
 
+- Security fixes
+  - Specialisation rules for string-{ref,set!}, bit-set?
+    and move-memory no longer use unchecked C functions which could
+    result in undefined behaviour, including buffer overruns (#1216).
+
 - Platform support
   - CHICKEN now supports the Linux X32 ABI (thanks to Sven Hartrumpf).
 
diff --git a/types.db b/types.db
index b169722e..050824a9 100644
--- a/types.db
+++ b/types.db
@@ -664,10 +664,10 @@
 	       ((string) (##sys#size #(1))))
 
 (string-ref (#(procedure #:clean #:enforce #:foldable) string-ref (string fixnum) char)
-	    ((string fixnum) (##core#inline "C_subchar" #(1) #(2))))
+	    ((string fixnum) (##core#inline "C_i_string_ref" #(1) #(2))))
 
 (string-set! (#(procedure #:enforce) string-set! (string fixnum char) undefined)
-	     ((string fixnum char) (##core#inline "C_setsubchar" #(1) #(2) #(3))))
+	     ((string fixnum char) (##core#inline "C_i_string_set" #(1) #(2) #(3))))
 
 (string-append (#(procedure #:clean #:enforce) string-append (#!rest string) string)
 	       ((string string) (##sys#string-append #(1) #(2))))
@@ -1685,19 +1685,7 @@
 (chicken.lolevel#make-record-instance (#(procedure #:clean) chicken.lolevel#make-record-instance (symbol #!rest) *))
 (chicken.lolevel#make-weak-locative (#(procedure #:clean #:enforce) chicken.lolevel#make-weak-locative (* #!optional fixnum) locative))
 
-(chicken.lolevel#move-memory! (#(procedure #:enforce) chicken.lolevel#move-memory! (* * #!optional fixnum fixnum fixnum) *)
-	      ((pointer pointer fixnum)
-	       (##core#inline "C_copy_ptr_memory" #(2) #(1) #(3) '0 '0))
-	      ((pointer pointer fixnum fixnum)
-	       (##core#inline "C_copy_ptr_memory" #(2) #(1) #(3) '0 #(4)))
-	      ((pointer pointer fixnum fixnum fixnum)
-	       (##core#inline "C_copy_ptr_memory" #(2) #(1) #(3) #(5) #(4)))
-	      ((locative locative fixnum)
-	       (##core#inline "C_copy_ptr_memory" #(2) #(1) #(3) '0 '0))
-	      ((locative locative fixnum fixnum)
-	       (##core#inline "C_copy_ptr_memory" #(2) #(1) #(3) '0 #(4)))
-	      ((locative locative fixnum fixnum fixnum)
-	       (##core#inline "C_copy_ptr_memory" #(2) #(1) #(3) #(5) #(4))))
+(chicken.lolevel#move-memory! (#(procedure #:enforce) chicken.lolevel#move-memory! (* * #!optional fixnum fixnum fixnum) *))
 
 (chicken.lolevel#mutate-procedure!
  (#(procedure #:enforce) chicken.lolevel#mutate-procedure! (procedure (procedure (procedure) . *)) procedure))