ruby-changes:71194
From: Yusuke <ko1@a...>
Date: Thu, 17 Feb 2022 01:44:22 +0900 (JST)
Subject: [ruby-changes:71194] 5f01fba001 (master): yjit_codegen.c: Prevent a possible out-of-bound access
https://git.ruby-lang.org/ruby.git/commit/?id=5f01fba001 From 5f01fba001c478834d97d8abf88b0cb6e235d436 Mon Sep 17 00:00:00 2001 From: Yusuke Endoh <mame@r...> Date: Thu, 17 Feb 2022 00:36:08 +0900 Subject: yjit_codegen.c: Prevent a possible out-of-bound access The code attempts to read `C_ARG_REGS[leaf_builtin->argc + 1]`, and the size of `C_ARG_REGS` is `NUM_C_ARG_REGS`. So, the guard condition must be `leaf_builtin->argc + 1 + 1 <= NUM_C_ARG_REGS`. This change fixes the off-by-one error. This issue was found by Coverity Scan. --- yjit_codegen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yjit_codegen.c b/yjit_codegen.c index afecf2fbf5..155aa4a41c 100644 --- a/yjit_codegen.c +++ b/yjit_codegen.c @@ -3702,7 +3702,7 @@ gen_send_iseq(jitstate_t *jit, ctx_t *ctx, const struct rb_callinfo *ci, const r https://github.com/ruby/ruby/blob/trunk/yjit_codegen.c#L3702 const struct rb_builtin_function *leaf_builtin = rb_leaf_builtin_function(iseq); - if (leaf_builtin && !block && leaf_builtin->argc + 1 <= NUM_C_ARG_REGS) { + if (leaf_builtin && !block && leaf_builtin->argc + 1 /* for self */ + 1 /* for ec */ <= NUM_C_ARG_REGS) { ADD_COMMENT(cb, "inlined leaf builtin"); // Call the builtin func (ec, recv, arg1, arg2, ...) -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/