[前][次][番号順一覧][スレッド一覧]

ruby-changes:56487

From: Takashi <ko1@a...>
Date: Sun, 14 Jul 2019 21:49:20 +0900 (JST)
Subject: [ruby-changes:56487] Takashi Kokubun: d8cc41c43b (master): Fix a wrong buffer size to avoid stack corruption

https://git.ruby-lang.org/ruby.git/commit/?id=d8cc41c43b

From d8cc41c43be65dd4b17e7a6e38f5a7fdf2b247d6 Mon Sep 17 00:00:00 2001
From: Takashi Kokubun <takashikkbn@g...>
Date: Sun, 14 Jul 2019 21:48:22 +0900
Subject: Fix a wrong buffer size to avoid stack corruption

[Bug #15986]

diff --git a/mjit_worker.c b/mjit_worker.c
index 9f8a5f0..44123e2 100644
--- a/mjit_worker.c
+++ b/mjit_worker.c
@@ -1049,8 +1049,8 @@ convert_unit_to_func(struct rb_mjit_unit *unit) https://github.com/ruby/ruby/blob/trunk/mjit_worker.c#L1049
     if (FIXNUM_P(unit->iseq->body->location.first_lineno))
         // FIX2INT may fallback to rb_num2long(), which is a method call and dangerous in MJIT worker. So using only FIX2LONG.
         iseq_lineno = FIX2LONG(unit->iseq->body->location.first_lineno);
-    char *iseq_label = alloca(RSTRING_LEN(unit->iseq->body->location.label));
-    char *iseq_path  = alloca(RSTRING_LEN(rb_iseq_path(unit->iseq)));
+    char *iseq_label = alloca(RSTRING_LEN(unit->iseq->body->location.label) + 1);
+    char *iseq_path  = alloca(RSTRING_LEN(rb_iseq_path(unit->iseq)) + 1);
     strcpy(iseq_label, RSTRING_PTR(unit->iseq->body->location.label));
     strcpy(iseq_path,  RSTRING_PTR(rb_iseq_path(unit->iseq)));
 
-- 
cgit v0.10.2


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]