~ chicken-core (chicken-5) a8b114660f5d49849e08b026817dc1900cbcc057
commit a8b114660f5d49849e08b026817dc1900cbcc057
Author: Peter Bex <peter@more-magic.net>
AuthorDate: Sun May 28 12:37:44 2017 +0200
Commit: Evan Hanson <evhan@foldling.org>
CommitDate: Wed May 31 16:45:18 2017 +1200
Fix segmentation fault in "length" on improper lists.
This fixes #1375.
Signed-off-by: Evan Hanson <evhan@foldling.org>
diff --git a/NEWS b/NEWS
index aa626c73..9b1691f6 100644
--- a/NEWS
+++ b/NEWS
@@ -89,6 +89,8 @@
- CVE-2017-6949: Remove unchecked malloc() call in SRFI-4 constructors
when allocating in non-GC memory, resulting in potential 1-word
buffer overrun and/or segfault (thanks to Lemonboy).
+ - `length' no longer crashes on improper lists (fixes #1375, thanks to
+ "megane").
- Core Libraries
- Unit "posix": If file-lock, file-lock/blocking or file-unlock are
diff --git a/runtime.c b/runtime.c
index 1bade1c1..9e969b79 100644
--- a/runtime.c
+++ b/runtime.c
@@ -5690,7 +5690,7 @@ C_regparm C_word C_fcall C_i_length(C_word lst)
}
}
- if(C_immediatep(slow) || C_block_header(lst) != C_PAIR_TAG)
+ if(C_immediatep(slow) || C_block_header(slow) != C_PAIR_TAG)
barf(C_NOT_A_PROPER_LIST_ERROR, "length", lst);
slow = C_u_i_cdr(slow);
diff --git a/tests/library-tests.scm b/tests/library-tests.scm
index 81a2f242..1e33adcb 100644
--- a/tests/library-tests.scm
+++ b/tests/library-tests.scm
@@ -706,3 +706,8 @@ A
(assert (not (member "foo" '("bar"))))
(assert (not (member "foo" '())))
(assert-fail (member "foo" "foo"))
+
+;; length
+
+(assert-fail (length 1))
+(assert-fail (length '(x . y)))
Trap