From d4f67ae2d941876f898b6d999f068084345c9141 Mon Sep 17 00:00:00 2001
From: LemonBoy <address@hidden>
Date: Fri, 10 Mar 2017 16:29:47 +0100
Subject: [PATCH] Add bound checking to the external vector allocations

Do what C_allocate_vector already does and prevent the creation of a
vector that's too big or too small.
We should be very careful to avoid the latter case because the
allocation size is directly fed into `malloc' as 'x + sizeof(C_header)'
thus making possible to successfully allocate a vector smaller than the
C_header structure and get C_block_header_init to write over
uninitialized memory.
---
 srfi-4.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srfi-4.scm b/srfi-4.scm
index d135815f..ba302ecd 100644
--- a/srfi-4.scm
+++ b/srfi-4.scm
@@ -357,6 +357,7 @@ EOF
 
 (let* ([ext-alloc
 	(foreign-lambda* scheme-object ([int bytes])
+	  "if (bytes > C_HEADER_SIZE_MASK || bytes < 0) C_return(C_SCHEME_FALSE);"
 	  "C_word *buf = (C_word *)C_malloc(bytes + sizeof(C_header));"
 	  "if(buf == NULL) C_return(C_SCHEME_FALSE);"
 	  "C_block_header_init(buf, C_make_header(C_BYTEVECTOR_TYPE, bytes));"
-- 
2.12.0