diff options
| author | Kouhei Sutou <[email protected]> | 2016-01-22 00:20:00 +0900 |
|---|---|---|
| committer | Kouhei Sutou <[email protected]> | 2016-01-22 00:20:00 +0900 |
| commit | c77123d20a6e971937177edf9d13763d147389c6 (patch) | |
| tree | 9bd07cb2d90bbedd10434baede4edbadb7c290ae /src/codedump.c | |
| parent | 8a74e68552a9a791de0202fff197095bd308e0eb (diff) | |
| download | mruby-c77123d20a6e971937177edf9d13763d147389c6.tar.gz mruby-c77123d20a6e971937177edf9d13763d147389c6.zip | |
Fix SEGV by stack extension in mrb_get_args()
mrb_get_args() keeps pointer of the current stack. But address of the
current stack maybe changed by method call.
'i' format character calls #to_i when the argument isn't integer but
has #to_i.
Here is a code that may call #to_i in mrb_get_args():
case 'i':
// ...
default:
*p = mrb_fixnum(mrb_Integer(mrb, ARGV[arg_i]));
break;
// ...
Here is a code #to_i is called:
class X
def initialize(i)
@i = i
end
def to_i
@i
end
end
[][X.new(0), 0] # X#to_i is called
So, mrb_get_args() shouldn't keep pointer and use it. mrb_get_args()
should always refer mrb->ci->stack to use valid address of the current
stack.
Diffstat (limited to 'src/codedump.c')
0 files changed, 0 insertions, 0 deletions