From 3ed337ec4642603b1ab7fad7566a7f0d3f274fe8 Mon Sep 17 00:00:00 2001
From: Alexandre Duret-Lutz <adl@lrde.epita.fr>
Date: Tue, 22 Mar 2022 12:18:25 +0100
Subject: [PATCH] graph: fix invalid read

Reported by Florian Renkin.

* spot/graph/graph.hh (sort_edges_of): Fix invalid read when sorting a
state without successor.  Seen on core/tgbagraph.test.
---
 spot/graph/graph.hh | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/spot/graph/graph.hh b/spot/graph/graph.hh
index 75e0977b7..fa276131d 100644
--- a/spot/graph/graph.hh
+++ b/spot/graph/graph.hh
@@ -1,5 +1,5 @@
 // -*- coding: utf-8 -*-
-// Copyright (C) 2014-2018, 2020, 2021 Laboratoire de Recherche et
+// Copyright (C) 2014-2018, 2020-2022 Laboratoire de Recherche et
 // Développement de l'Epita.
 //
 // This file is part of Spot, a model checking library.
@@ -1243,14 +1243,19 @@ namespace spot
       //dump_storage(std::cerr);
       auto pi = [&](unsigned t1, unsigned t2)
           {return p(edges_[t1], edges_[t2]); };
+
+      // Sort the outgoing edges of each selected state according
+      // to predicate p.  Do that in place.
       std::vector<unsigned> sort_idx_;
-      for (unsigned i = 0; i < num_states(); ++i)
+      unsigned ns = num_states();
+      for (unsigned i = 0; i < ns; ++i)
         {
           if (to_sort_ptr && !(*to_sort_ptr)[i])
             continue;
-
-          sort_idx_.clear();
           unsigned t = states_[i].succ;
+          if (t == 0)
+            continue;
+          sort_idx_.clear();
           do
             {
                sort_idx_.push_back(t);