From 4495d00bf9a8e49e139dba43a6e6ae6c80511778 Mon Sep 17 00:00:00 2001
From: Alex Shinn <ashinn@users.noreply.github.com>
Date: Fri, 20 Jun 2014 19:14:51 +0900
Subject: [PATCH] Fixing potential stack corruption in n-ary numeric
 inequalities.

---
 tests/r7rs-tests.scm | 1 +
 vm.c                 | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/tests/r7rs-tests.scm b/tests/r7rs-tests.scm
index 0f5477dd..2130031b 100644
--- a/tests/r7rs-tests.scm
+++ b/tests/r7rs-tests.scm
@@ -611,6 +611,7 @@
 (test #f (<= 1 2 1))
 (test #t (>= 2 1 1))
 (test #f (>= 1 2 1))
+(test '(#t #f) (list (<= 1 1 2) (<= 2 1 3)))
 
 ;; From R7RS 6.2.6 Numerical operations:
 ;;
diff --git a/vm.c b/vm.c
index d573c8b8..cd06ce42 100644
--- a/vm.c
+++ b/vm.c
@@ -359,6 +359,8 @@ static void generate_opcode_app (sexp ctx, sexp app) {
       sexp_emit(ctx, sexp_opcode_code(op));
     break;
   case SEXP_OPC_ARITHMETIC_CMP:
+    /* With [<true-value>, x] on the stack, and x boolean, */
+    /* AND is equivalent to ROT+DROP.  Note one AND for every STACK_REF. */
     if (num_args > 2) {
       sexp_emit(ctx, SEXP_OP_STACK_REF);
       sexp_emit_word(ctx, 2);
@@ -375,6 +377,7 @@ static void generate_opcode_app (sexp ctx, sexp app) {
         sexp_emit(ctx, SEXP_OP_AND);
         sexp_emit(ctx, SEXP_OP_AND);
       }
+      sexp_emit(ctx, SEXP_OP_AND);
     } else
       sexp_emit(ctx, sexp_opcode_code(op));
     break;