Merge pull request #3991 from take-cheeze/fix_eval_env_gc

Fix possible heap use after free in `mrb_exec_irep` and stack expanding.
author: Yukihiro "Matz" Matsumoto <[email protected]> 2018-04-05 15:44:24 +0900
committer: GitHub <[email protected]> 2018-04-05 15:44:24 +0900
commit: e9ddb593f3f6c0264563eaf20f5de8cf43cc1c5d (patch)
tree: 7d9b24e305936173bf329ea40c5a04bbdec64f14 /src
parent: f23c3cddc89d24430f8a8c6f44cdab4ecfe2d55d (diff)
parent: 26e436e24797f0c3228bc9900615afe7d2e29ddf (diff)
download: mruby-e9ddb593f3f6c0264563eaf20f5de8cf43cc1c5d.tar.gz
mruby-e9ddb593f3f6c0264563eaf20f5de8cf43cc1c5d.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/src/vm.c b/src/vm.c
index e5bbf657c..ae9bf2e69 100644
--- a/src/vm.c
+++ b/src/vm.c
@@ -156,6 +156,18 @@ envadjust(mrb_state *mrb, mrb_value *oldbase, mrb_value *newbase, size_t size)
 
       e->stack = newbase + off;
     }
+
+    if (ci->proc && MRB_PROC_ENV_P(ci->proc) && ci->env != MRB_PROC_ENV(ci->proc)) {
+      e = MRB_PROC_ENV(ci->proc);
+
+      if (e && MRB_ENV_STACK_SHARED_P(e) &&
+          (st = e->stack) && oldbase <= st && st < oldbase+size) {
+        ptrdiff_t off = e->stack - oldbase;
+
+        e->stack = newbase + off;
+      }
+    }
+
     ci->stackent = newbase + (ci->stackent - oldbase);
     ci++;
   }
author	Yukihiro "Matz" Matsumoto <[email protected]>	2018-04-05 15:44:24 +0900
committer	GitHub <[email protected]>	2018-04-05 15:44:24 +0900
commit	e9ddb593f3f6c0264563eaf20f5de8cf43cc1c5d (patch)
tree	7d9b24e305936173bf329ea40c5a04bbdec64f14 /src
parent	f23c3cddc89d24430f8a8c6f44cdab4ecfe2d55d (diff)
parent	26e436e24797f0c3228bc9900615afe7d2e29ddf (diff)
download	mruby-e9ddb593f3f6c0264563eaf20f5de8cf43cc1c5d.tar.gz mruby-e9ddb593f3f6c0264563eaf20f5de8cf43cc1c5d.zip