From 533d630db3f5bd01ca42eb4d4a9a408d181b0de2 Mon Sep 17 00:00:00 2001
From: Ivica Ico Bukvic <ico@vt.edu>
Date: Tue, 4 Mar 2014 23:48:51 -0500
Subject: [PATCH] *fixed segfault (affects all flavors) where creating an expr
 object with more than MAX_VARS variables (currently set to 9) crashed pd when
 freeing the object. Example: create [expr 1;2;3;4;5;6;7;8;9;10] as opposed to
 [expr 1;2;3;4;5;6;7;8;9]. Former crashes when being freed (destroyed), while
 latter doesn't.

---
 pd/extra/expr~/vexp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pd/extra/expr~/vexp.c b/pd/extra/expr~/vexp.c
index f1cd483aa..45380ff97 100644
--- a/pd/extra/expr~/vexp.c
+++ b/pd/extra/expr~/vexp.c
@@ -265,6 +265,11 @@ expr_donew(struct expr *expr, int ac, t_atom *av)
                   (struct ex_ex *)fts_malloc(max_node * sizeof (struct ex_ex));
                 expr->exp_nexpr++;
                 ret = ex_match(list, (long)0);
+                if (expr->exp_nexpr > MAX_VARS) // we cannot exceed the number of max vars (arbitrarily set to 9 in vexp.h)
+                {
+                        post_error((fts_object_t *) expr, "expr: too many variables (maximum %d allowed)", MAX_VARS);
+                        goto error;   
+                }
                 if (!ret)               /* syntax error */
                         goto error;
                 ret = ex_parse(expr,
-- 
GitLab