From 7e0550b7eb4f9a31954b4e47e6f8097c99022cd7 Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Wed, 28 Oct 2015 06:42:42 -0700
Subject: Bugfix: harden hash-next, since it is exposed.

The C code doesn't call hash_next once it returns nil,
so it doesn't matter that doing so will dereference
a null pointer.  But hash_next is now exposed as
the Lisp function hash-next.

* hash.c (hash_next): If the hash table in the iterator
is nil, then return nil, avoiding the dereference of
a null pointer.
---
 hash.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hash.c b/hash.c
index d6092efa..380a4615 100644
--- a/hash.c
+++ b/hash.c
@@ -703,7 +703,10 @@ val hash_next(val iter)
 {
   struct hash_iter *hi = coerce(struct hash_iter *, cobj_handle(iter, hash_iter_s));
   val hash = hi->hash;
-  struct hash *h = coerce(struct hash *, hash->co.handle);
+  struct hash *h = hash ? coerce(struct hash *, hash->co.handle) : 0;
+
+  if (!h)
+    return nil;
   if (hi->cons)
     hi->cons = cdr(hi->cons);
   while (nilp(hi->cons)) {
-- 
cgit v1.2.3