diff options
| author | Kouhei Sutou <[email protected]> | 2015-02-25 00:13:40 +0900 |
|---|---|---|
| committer | Kouhei Sutou <[email protected]> | 2015-02-25 00:13:40 +0900 |
| commit | 3fefe52ffb7286d129167c092d7ccc2908c37292 (patch) | |
| tree | f51afb13aa5ecc4831f67a9d07a32df32d68eb3c | |
| parent | a2a272ca8ebecdc037b352ee95492accfeab9457 (diff) | |
| download | mruby-3fefe52ffb7286d129167c092d7ccc2908c37292.tar.gz mruby-3fefe52ffb7286d129167c092d7ccc2908c37292.zip | |
Fix a crash bug on raising after realloc
The following program reproduces this problem:
#include <mruby.h>
static mrb_value
recursive(mrb_state *mrb, mrb_value self)
{
mrb_int n;
mrb_get_args(mrb, "i", &n);
if (n == 0) {
mrb_raise(mrb, E_RUNTIME_ERROR, "XXX");
} else {
mrb_funcall(mrb, self, "recursive", 1, mrb_fixnum_value(n - 1));
}
return self;
}
int
main(void)
{
mrb_state *mrb;
mrb = mrb_open();
mrb_define_method(mrb, mrb->kernel_module, "recursive", recursive,
MRB_ARGS_REQ(1));
mrb_funcall(mrb, mrb_top_self(mrb), "recursive", 1, mrb_fixnum_value(30));
mrb_close(mrb);
}
Recursive method call isn't required. It's just for expanding call info
stack.
If mrb_realloc() is called in cipush(), cibase address is changed. So,
we shouldn't compare ci before mrb_realloc() and cibase after
mrb_realloc(). It accesses unknown address and causes crash.
| -rw-r--r-- | src/vm.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -316,7 +316,7 @@ mrb_funcall_with_block(mrb_state *mrb, mrb_value self, mrb_sym mid, mrb_int argc if (!mrb->jmp) { struct mrb_jmpbuf c_jmp; - mrb_callinfo *old_ci = mrb->c->ci; + size_t nth_ci = mrb->c->ci - mrb->c->cibase; MRB_TRY(&c_jmp) { mrb->jmp = &c_jmp; @@ -325,7 +325,7 @@ mrb_funcall_with_block(mrb_state *mrb, mrb_value self, mrb_sym mid, mrb_int argc mrb->jmp = 0; } MRB_CATCH(&c_jmp) { /* error */ - while (old_ci != mrb->c->ci) { + while (nth_ci < (mrb->c->ci - mrb->c->cibase)) { mrb->c->stack = mrb->c->ci->stackent; cipop(mrb); } |