From 134b0f8bcfadd9d4ae051d665f30c3227fae1c75 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@cs.stanford.edu>
Date: Mon, 4 Oct 2021 23:14:32 -0700
Subject: [PATCH] segment: Fix 1-byte read past initialized data when file ends
 in CR.

Fixes bug #61253.
Thanks to Irfan Ariq for reporting this bug.
---
 src/language/lexer/segment.c    |  2 +-
 tests/language/lexer/segment.at | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/language/lexer/segment.c b/src/language/lexer/segment.c
index 519f6ec9f2..4a6fefb4c2 100644
--- a/src/language/lexer/segment.c
+++ b/src/language/lexer/segment.c
@@ -1042,7 +1042,7 @@ segmenter_parse_mid_command__ (struct segmenter *s,
           if (ofs < 0)
             return -1;
 
-          if (input[ofs - 1] == '\r' && input[ofs] == '\n')
+          if (ofs < n && input[ofs - 1] == '\r' && input[ofs] == '\n')
             {
               if (ofs == 1)
                 {
diff --git a/tests/language/lexer/segment.at b/tests/language/lexer/segment.at
index 78ad1e99eb..abbc08c8cd 100644
--- a/tests/language/lexer/segment.at
+++ b/tests/language/lexer/segment.at
@@ -1643,3 +1643,16 @@ end
 ])
 PSPP_CHECK_SEGMENT([-a])
 AT_CLEANUP
+
+# This checks for regression against bug #61253.  To see the read of
+# uninitialized data, run with valgrind.  The test will pass either
+# way.  (The bug report has a more complicated crashing case.)
+AT_SETUP([input ends in carriage return])
+printf '\r' > input
+AT_DATA([expout-base], [dnl
+separate_commands
+spaces          \r
+end
+])
+PSPP_CHECK_SEGMENT
+AT_CLEANUP
-- 
2.30.2