ATRONIX: by Shixin Zeng - Do not increase tail before extension

Oldes · Oldes · commit 9e2f7ad015f9 · 2017-11-03T10:36:06.000+01:00
It will confuse Expand_Series expects "tail" to be the actual size, and
cause a read beyond the allocated memory, or heap buffer overflow found
by address sanitizer of GCC:
=================================================================
==10856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b201 at pc 0x47df61 bp 0x7fffffff2ca0 sp 0x7fffffff2c98
READ of size 1 at 0x62a00000b201 thread T0
    0 0x47df60 in Expand_Series ../src/core/m-series.c:145
    1 0x47e5a7 in Extend_Series ../src/core/m-series.c:187
...
diff --git a/src/core/l-scan.c b/src/core/l-scan.c
@@ -459,7 +459,9 @@
 
 		*UNI_SKIP(buf, buf->tail) = chr;
 
-		if (++(buf->tail) >= SERIES_REST(buf)) Extend_Series(buf, 1);
+		if (SERIES_LEN(buf) >= SERIES_REST(buf)) Extend_Series(buf, 1);
+
+		buf->tail ++;
     }
 
 	src++; // Skip ending quote or brace.

Original file line number	Diff line number	Diff line change
`@@ -459,7 +459,9 @@`
`459`	`459`
`460`	`460`	`*UNI_SKIP(buf, buf->tail) = chr;`
`461`	`461`
`462`		`- if (++(buf->tail) >= SERIES_REST(buf)) Extend_Series(buf, 1);`
	`462`	`+ if (SERIES_LEN(buf) >= SERIES_REST(buf)) Extend_Series(buf, 1);`
	`463`	`+`
	`464`	`+ buf->tail ++;`
`463`	`465`	`}`
`464`	`466`
`465`	`467`	`src++; // Skip ending quote or brace.`