diff options
| author | Horimoto Yasuhiro <[email protected]> | 2020-11-29 14:52:37 +0900 |
|---|---|---|
| committer | Horimoto Yasuhiro <[email protected]> | 2020-11-29 15:57:44 +0900 |
| commit | df13d418c31856baed5bcba4636b9677c74b613c (patch) | |
| tree | edaa7e34fc3b8cfa6afa4728989ceabb5bd7b586 /src/dump.c | |
| parent | 6d07d9b3d7a64834bda8644ab6c4ed1fabe217a4 (diff) | |
| download | mruby-df13d418c31856baed5bcba4636b9677c74b613c.tar.gz mruby-df13d418c31856baed5bcba4636b9677c74b613c.zip | |
Fix heap buffer overflow when dump irep
Currently, the size of writing in heap by write_irep_record() is
bigger than The size that is calculated by get_irep_record_size.
Therefore, irep is dumped over the size of allocating memory when we
execute dump_irep().
Diffstat (limited to 'src/dump.c')
| -rw-r--r-- | src/dump.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/dump.c b/src/dump.c index a79df597b..a4ccac139 100644 --- a/src/dump.c +++ b/src/dump.c @@ -293,6 +293,7 @@ get_irep_record_size_1(mrb_state *mrb, const mrb_irep *irep) size_t size = 0; size += get_irep_header_size(mrb); + size += sizeof(uint16_t); size += get_iseq_block_size(mrb, irep); size += get_catch_table_block_size(mrb, irep); size += get_pool_block_size(mrb, irep); |