ruby-changes:52645
From: ko1 <ko1@a...>
Date: Thu, 27 Sep 2018 01:51:15 +0900 (JST)
Subject: [ruby-changes:52645] ko1:r64857 (trunk): fix use-after-free in obj_free.
ko1 2018-09-27 01:51:09 +0900 (Thu, 27 Sep 2018) New Revision: 64857 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=64857 Log: fix use-after-free in obj_free. * gc.c (obj_free): a table can be accessed for debug counters. [Bug #15165] [Fix GH-1964] A patch from Joe Truba <jtruba@m...> Also check USE_DEBUG_COUNTER macro. Modified files: trunk/gc.c Index: gc.c =================================================================== --- gc.c (revision 64856) +++ gc.c (revision 64857) @@ -2261,8 +2261,7 @@ obj_free(rb_objspace_t *objspace, VALUE https://github.com/ruby/ruby/blob/trunk/gc.c#L2261 break; case T_HASH: if (RANY(obj)->as.hash.ntbl) { - st_free_table(RANY(obj)->as.hash.ntbl); - +#if USE_DEBUG_COUNTER if (RHASH_SIZE(obj) >= 8) { RB_DEBUG_COUNTER_INC(obj_hash_ge8); } @@ -2272,6 +2271,8 @@ obj_free(rb_objspace_t *objspace, VALUE https://github.com/ruby/ruby/blob/trunk/gc.c#L2271 else { RB_DEBUG_COUNTER_INC(obj_hash_under4); } +#endif + st_free_table(RANY(obj)->as.hash.ntbl); } else { RB_DEBUG_COUNTER_INC(obj_hash_empty); -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/