[前][次][番号順一覧][スレッド一覧]

ruby-changes:60757

From: Alan <ko1@a...>
Date: Mon, 13 Apr 2020 04:19:27 +0900 (JST)
Subject: [ruby-changes:60757] 82fdffc5ec (master): Avoid UB with flexible array member

https://git.ruby-lang.org/ruby.git/commit/?id=82fdffc5ec

From 82fdffc5ec0ecffc2e49128775d7c09ed43ba59d Mon Sep 17 00:00:00 2001
From: Alan Wu <XrXr@u...>
Date: Sun, 12 Apr 2020 15:19:06 -0400
Subject: Avoid UB with flexible array member

Accessing past the end of an array is technically UB. Use C99 flexible
array member instead to avoid the UB and simplify allocation size
calculation.

See also: DCL38-C in the SEI CERT C Coding Standard

diff --git a/compile.c b/compile.c
index bd249a5..d294faa 100644
--- a/compile.c
+++ b/compile.c
@@ -3951,7 +3951,7 @@ compile_keyword_arg(rb_iseq_t *iseq, LINK_ANCHOR *const ret, https://github.com/ruby/ruby/blob/trunk/compile.c#L3951
 	{
 	    int len = (int)node->nd_alen / 2;
             struct rb_callinfo_kwarg *kw_arg =
-                rb_xmalloc_mul_add(len - 1, sizeof(VALUE), sizeof(struct rb_callinfo_kwarg));
+                rb_xmalloc_mul_add(len, sizeof(VALUE), sizeof(struct rb_callinfo_kwarg));
 	    VALUE *keywords = kw_arg->keywords;
 	    int i = 0;
 	    kw_arg->keyword_len = len;
@@ -10394,7 +10394,7 @@ ibf_load_ci_entries(const struct ibf_load *load, https://github.com/ruby/ruby/blob/trunk/compile.c#L10394
             struct rb_callinfo_kwarg *kwarg = NULL;
             int kwlen = (int)ibf_load_small_value(load, &reading_pos);
             if (kwlen > 0) {
-                kwarg = rb_xmalloc_mul_add(kwlen - 1, sizeof(VALUE), sizeof(struct rb_callinfo_kwarg));;
+                kwarg = rb_xmalloc_mul_add(kwlen, sizeof(VALUE), sizeof(struct rb_callinfo_kwarg));
                 kwarg->keyword_len = kwlen;
                 for (int j=0; j<kwlen; j++) {
                     VALUE keyword = ibf_load_small_value(load, &reading_pos);
diff --git a/vm_callinfo.h b/vm_callinfo.h
index 013811d..b3de14d 100644
--- a/vm_callinfo.h
+++ b/vm_callinfo.h
@@ -33,14 +33,14 @@ enum vm_call_flag_bits { https://github.com/ruby/ruby/blob/trunk/vm_callinfo.h#L33
 
 struct rb_callinfo_kwarg {
     int keyword_len;
-    VALUE keywords[1];
+    VALUE keywords[];
 };
 
 static inline size_t
 rb_callinfo_kwarg_bytes(int keyword_len)
 {
     return rb_size_mul_add_or_raise(
-        keyword_len - 1,
+        keyword_len,
         sizeof(VALUE),
         sizeof(struct rb_callinfo_kwarg),
         rb_eRuntimeError);
-- 
cgit v0.10.2


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]