1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix use-after-free on USE_EMBED_CI=0

Browse Source 
The old code didn't keep old_operands[0] reachable while allocating. You
can crash it by requiring erb under GC stress mode.
This commit is contained in:
Alan Wu 2021-07-19 20:25:18 -04:00
parent a0bb731f4f
commit 736eb29a3c
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
compile.c
View File

@ -3452,16 +3452,20 @@ iseq_peephole_optimize(rb_iseq_t *iseq, LINK_ELEMENT *list, const int do_tailcal
static int static int
insn_set_specialized_instruction(rb_iseq_t *iseq, INSN *iobj, int insn_id) insn_set_specialized_instruction(rb_iseq_t *iseq, INSN *iobj, int insn_id)
{ {
iobj->insn_id = insn_id;
iobj->operand_size = insn_len(insn_id) - 1;
iobj->insn_info.events |= RUBY_EVENT_C_CALL | RUBY_EVENT_C_RETURN;
if (insn_id == BIN(opt_neq)) { if (insn_id == BIN(opt_neq)) {
// Be careful to not write to iobj before allocating so the old operand stays alive.
VALUE original_ci = iobj->operands[0]; VALUE original_ci = iobj->operands[0];
VALUE *new_operands = compile_data_calloc2(iseq, 2, sizeof(VALUE));
new_operands[0] = (VALUE)new_callinfo(iseq, idEq, 1, 0, NULL, FALSE);
new_operands[1] = original_ci;
iobj->insn_id = insn_id;
iobj->operand_size = 2; iobj->operand_size = 2;
iobj->operands = compile_data_calloc2(iseq, iobj->operand_size, sizeof(VALUE)); iobj->operands = new_operands;
iobj->operands[0] = (VALUE)new_callinfo(iseq, idEq, 1, 0, NULL, FALSE); }
iobj->operands[1] = original_ci; else {
iobj->insn_id = insn_id;
iobj->operand_size = insn_len(insn_id) - 1;
} }
return COMPILE_OK; return COMPILE_OK;