Fix segfault when undef is called with exactly 127 arguments

The issue is that when there are more than 126 arguments an array needs to be created to pass the arguments on with. Reported by https://hackerone.com/revskills
author: Bouke van der Bijl <[email protected]> 2016-12-07 11:22:30 -0500
committer: Bouke van der Bijl <[email protected]> 2016-12-08 15:47:17 -0500
commit: c8da3c4df4f8cb6f6d00c70e75606c59f9888509 (patch)
tree: f4aa9c676f8707fff0ff96867d42f4e2ef5d8328
parent: db6b6ff4420b6e9a68e90e497131560d1e57c06f (diff)
download: mruby-c8da3c4df4f8cb6f6d00c70e75606c59f9888509.tar.gz
mruby-c8da3c4df4f8cb6f6d00c70e75606c59f9888509.zip
2 files changed, 30 insertions, 2 deletions
diff --git a/mrbgems/mruby-compiler/core/codegen.c b/mrbgems/mruby-compiler/core/codegen.c
index b2cd12225..3cfd99d41 100644
--- a/mrbgems/mruby-compiler/core/codegen.c
+++ b/mrbgems/mruby-compiler/core/codegen.c
@@ -2560,13 +2560,31 @@ codegen(codegen_scope *s, node *tree, int val)
       genop(s, MKOP_A(OP_TCLASS, cursp()));
       push();
       while (t) {
-        int symbol = new_msym(s, sym(t->car));
+        int symbol;
+        if (num >= CALL_MAXARGS - 1) {
+          pop_n(num);
+          genop(s, MKOP_ABC(OP_ARRAY, cursp(), cursp(), num));
+          while (t) {
+            symbol = new_msym(s, sym(t->car));
+            push();
+            genop(s, MKOP_ABx(OP_LOADSYM, cursp(), symbol));
+            pop();
+            genop(s, MKOP_AB(OP_ARYPUSH, cursp(), cursp()+1));
+            t = t->cdr;
+          }
+          num = CALL_MAXARGS;
+          break;
+        }
+        symbol = new_msym(s, sym(t->car));
         genop(s, MKOP_ABx(OP_LOADSYM, cursp(), symbol));
         push();
         t = t->cdr;
         num++;
       }
-      pop_n(num + 1);
+      pop();
+      if (num < CALL_MAXARGS) {
+        pop_n(num);
+      }
       genop(s, MKOP_ABC(OP_SEND, cursp(), undef, num));
       if (val) {
         push();
diff --git a/test/t/codegen.rb b/test/t/codegen.rb
index bb0f5c306..3058a7fbc 100644
--- a/test/t/codegen.rb
+++ b/test/t/codegen.rb
@@ -63,3 +63,13 @@ assert('splat in case splat') do
 
   assert_equal [1], a
 end
+
+assert('undef with 127 or more arguments') do
+  assert_raise NameError do
+    undef
+      a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
+      a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
+      a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a,
+      a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a, a
+  end
+end
author	Bouke van der Bijl <[email protected]>	2016-12-07 11:22:30 -0500
committer	Bouke van der Bijl <[email protected]>	2016-12-08 15:47:17 -0500
commit	c8da3c4df4f8cb6f6d00c70e75606c59f9888509 (patch)
tree	f4aa9c676f8707fff0ff96867d42f4e2ef5d8328
parent	db6b6ff4420b6e9a68e90e497131560d1e57c06f (diff)
download	mruby-c8da3c4df4f8cb6f6d00c70e75606c59f9888509.tar.gz mruby-c8da3c4df4f8cb6f6d00c70e75606c59f9888509.zip