From bc88fc6ed15b9837659071817d93885e4910cba5 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Wed, 29 Aug 2018 12:31:48 +0900
Subject: Check iseq buffer size before code emission; fix #4090

The type of `s->pc` is now `uint16_t` that can be overflowed easily.
Need more checks.
---
 mrbgems/mruby-compiler/core/codegen.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/mrbgems/mruby-compiler/core/codegen.c b/mrbgems/mruby-compiler/core/codegen.c
index a835a563e..13f5aa053 100644
--- a/mrbgems/mruby-compiler/core/codegen.c
+++ b/mrbgems/mruby-compiler/core/codegen.c
@@ -151,11 +151,11 @@ new_label(codegen_scope *s)
 static void
 emit_B(codegen_scope *s, uint32_t pc, uint8_t i)
 {
+  if (pc >= MAXARG_S || s->icapa >= MAXARG_S) {
+    codegen_error(s, "too big code block");
+  }
   if (pc >= s->icapa) {
     s->icapa *= 2;
-    if (pc >= MAXARG_S) {
-      codegen_error(s, "too big code block");
-    }
     if (s->icapa > MAXARG_S) {
       s->icapa = MAXARG_S;
     }
@@ -184,7 +184,8 @@ emit_S(codegen_scope *s, int pc, uint16_t i)
 static void
 gen_B(codegen_scope *s, uint8_t i)
 {
-  emit_B(s, s->pc++, i);
+  emit_B(s, s->pc, i);
+  s->pc++;
 }
 
 static void
@@ -248,7 +249,6 @@ genop_2(codegen_scope *s, mrb_code i, uint16_t a, uint16_t b)
 static void
 genop_3(codegen_scope *s, mrb_code i, uint16_t a, uint16_t b, uint8_t c)
 {
-  s->lastpc = s->pc;
   genop_2(s, i, a, b);
   gen_B(s, c);
 }
@@ -256,7 +256,6 @@ genop_3(codegen_scope *s, mrb_code i, uint16_t a, uint16_t b, uint8_t c)
 static void
 genop_2S(codegen_scope *s, mrb_code i, uint16_t a, uint16_t b)
 {
-  s->lastpc = s->pc;
   genop_1(s, i, a);
   gen_S(s, b);
 }
-- 
cgit v1.2.3