id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	difficulty
1216	string-ref specialization elides range check	Moritz Heidkamp		"The {{{types.db}}} entry for {{{string-ref}}} currently looks like this:

{{{
(string-ref (#(procedure #:clean #:enforce) string-ref (string fixnum) char)
	    ((string fixnum) (##core#inline ""C_subchar"" #(1) #(2))))
}}}

However, unlike {{{C_subchar}}}, the unspecialized version of {{{string-ref}}} (which is really {{{C_i_string_ref}}}) doesn't just check its argument type but also whether the {{{fixnum}}} argument is within range of the {{{string}}} argument. Thus, the specialization may result in buffer overruns, posing a potential vulnerability."	defect	closed	critical	4.11.0	scrutinizer	4.10.x	fixed