From: Ben Pfaff <blp@cs.stanford.edu>
Date: Tue, 5 Oct 2021 06:14:32 +0000 (-0700)
Subject: segment: Fix 1-byte read past initialized data when file ends in CR.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?p=pspp;a=commitdiff_plain;h=134b0f8bcfadd9d4ae051d665f30c3227fae1c75

segment: Fix 1-byte read past initialized data when file ends in CR.

Fixes bug #61253.
Thanks to Irfan Ariq for reporting this bug.
---

diff --git a/src/language/lexer/segment.c b/src/language/lexer/segment.c
index 519f6ec9f2..4a6fefb4c2 100644
--- a/src/language/lexer/segment.c
+++ b/src/language/lexer/segment.c
@@ -1042,7 +1042,7 @@ segmenter_parse_mid_command__ (struct segmenter *s,
           if (ofs < 0)
             return -1;
 
-          if (input[ofs - 1] == '\r' && input[ofs] == '\n')
+          if (ofs < n && input[ofs - 1] == '\r' && input[ofs] == '\n')
             {
               if (ofs == 1)
                 {
diff --git a/tests/language/lexer/segment.at b/tests/language/lexer/segment.at
index 78ad1e99eb..abbc08c8cd 100644
--- a/tests/language/lexer/segment.at
+++ b/tests/language/lexer/segment.at
@@ -1643,3 +1643,16 @@ end
 ])
 PSPP_CHECK_SEGMENT([-a])
 AT_CLEANUP
+
+# This checks for regression against bug #61253.  To see the read of
+# uninitialized data, run with valgrind.  The test will pass either
+# way.  (The bug report has a more complicated crashing case.)
+AT_SETUP([input ends in carriage return])
+printf '\r' > input
+AT_DATA([expout-base], [dnl
+separate_commands
+spaces          \r
+end
+])
+PSPP_CHECK_SEGMENT
+AT_CLEANUP