Fix two crash conditions Ampere found. These are just temporary

patches; my private version has rewritten both of these functions
(ironically fixing these bugs in the process) to handle negative
offsets meaning "from the end".

diff --git a/simgear/nasal/code.c b/simgear/nasal/code.c
index c7dd68ee5a28b66004f1dbef2312ed9bdd278791..be7b103fba60e661031f37a713fcbbf87a5204ab 100644 (file)
--- a/simgear/nasal/code.c
+++ b/simgear/nasal/code.c
@@ -64,7 +64,7 @@ static naRef stringify(struct Context* ctx, naRef r)
 static int checkVec(struct Context* ctx, naRef vec, naRef idx)
 {
     int i = (int)numify(ctx, idx);
-    if(i < 0 || i >= vec.ref.ptr.vec->rec->size)
+    if(i < 0 || !vec.ref.ptr.vec->rec || i >= vec.ref.ptr.vec->rec->size)
         ERR(ctx, "vector index out of bounds");
     return i;
 }

diff --git a/simgear/nasal/lib.c b/simgear/nasal/lib.c
index 04d7bd644d3b5fd432bf3fc015aaa3df9a5e4c29..2a3fc70d5b45a3b01cef88b9d14668b1cc81bc5d 100644 (file)
--- a/simgear/nasal/lib.c
+++ b/simgear/nasal/lib.c
@@ -115,6 +115,7 @@ static naRef substr(naContext c, naRef me, int argc, naRef* args)
     start = (int)startR.num;
     if(naIsNil(lenR)) {
         len = naStr_len(src) - start;
+        if(len < 0) return naNil();
     } else {
         lenR = naNumValue(lenR);
         if(naIsNil(lenR)) return naNil();