https://git.ruby-lang.org/ruby.git/commit/?id=736eb29a3c

From 736eb29a3c8f5ee18b76c98428350c8ab8b361a0 Mon Sep 17 00:00:00 2001
From: Alan Wu <XrXr@u...>
Date: Mon, 19 Jul 2021 20:25:18 -0400
Subject: Fix use-after-free on USE_EMBED_CI=0

The old code didn't keep old_operands[0] reachable while allocating. You
can crash it by requiring erb under GC stress mode.
---
 compile.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/compile.c b/compile.c
index b11650c885..823d6b5718 100644
--- a/compile.c
+++ b/compile.c
@@ -3452,16 +3452,20 @@ iseq_peephole_optimize(rb_iseq_t *iseq, LINK_ELEMENT *list, const int do_tailcal https://github.com/ruby/ruby/blob/trunk/compile.c#L3452
 static int
 insn_set_specialized_instruction(rb_iseq_t *iseq, INSN *iobj, int insn_id)
 {
-    iobj->insn_id = insn_id;
-    iobj->operand_size = insn_len(insn_id) - 1;
-    iobj->insn_info.events |= RUBY_EVENT_C_CALL | RUBY_EVENT_C_RETURN;
-
     if (insn_id == BIN(opt_neq)) {
+        // Be careful to not write to iobj before allocating so the old operand stays alive.
         VALUE original_ci = iobj->operands[0];
+        VALUE *new_operands = compile_data_calloc2(iseq, 2, sizeof(VALUE));
+        new_operands[0] = (VALUE)new_callinfo(iseq, idEq, 1, 0, NULL, FALSE);
+        new_operands[1] = original_ci;
+
+        iobj->insn_id = insn_id;
         iobj->operand_size = 2;
-        iobj->operands = compile_data_calloc2(iseq, iobj->operand_size, sizeof(VALUE));
-        iobj->operands[0] = (VALUE)new_callinfo(iseq, idEq, 1, 0, NULL, FALSE);
-        iobj->operands[1] = original_ci;
+        iobj->operands = new_operands;
+    }
+    else {
+        iobj->insn_id = insn_id;
+        iobj->operand_size = insn_len(insn_id) - 1;
     }
 
     return COMPILE_OK;
-- 
cgit v1.2.1


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/