From 0cbf1af59cd18c389443d777db6f7e88f8522e52 Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Fri, 12 May 2023 19:54:47 -0700
Subject: fix crash if built-in variable is unbound.

We use lookup_var_l in many places to look up the current
dynamic value of a built-in variable such as *stdout*.
Those places assume that a a valid location is returned
which can be subject to a deref. If the application calls
makunbound to remove such a variable, that deref will
crash due to a null pointer dereference.

Possible repro steps are numerous, possible for many variables.
One example:

  (makunbound '*stdout*)
  (put-line)

* eval.c (lookukp_var_l): If the binding is not found, do
not return a nulloc, but throw an error exception.
---
 eval.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/eval.c b/eval.c
index ca9fe25d..0e247fda 100644
--- a/eval.c
+++ b/eval.c
@@ -588,7 +588,9 @@ val lookup_sym_lisp1(val env, val sym)
 loc lookup_var_l(val env, val sym)
 {
   val binding = lookup_var(env, sym);
-  return if3(binding, cdr_l(binding), nulloc);
+  if (binding)
+    return cdr_l(binding);
+  uw_throwf(error_s, lit("variable ~s unexpectedly unbound"), sym, nao);
 }
 
 static val lookup_mac(val menv, val sym);
-- 
cgit v1.2.3