From 542f0f7b161e6bcd551c4fa52a8f71463a17aa3e Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Thu, 6 Jul 2017 09:28:44 +0900 Subject: Avoid out-of-bounds access of the backtrace array. --- src/backtrace.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'src/backtrace.c') diff --git a/src/backtrace.c b/src/backtrace.c index 19a54b7e5..d3e8d636f 100644 --- a/src/backtrace.c +++ b/src/backtrace.c @@ -79,11 +79,13 @@ print_backtrace(mrb_state *mrb, mrb_value backtrace) FILE *stream = stderr; if (!mrb_array_p(backtrace)) return; - fprintf(stream, "trace:\n"); - n = RARRAY_LEN(backtrace); - for (i=0; n--; i++) { - mrb_value entry = RARRAY_PTR(backtrace)[n]; + n = RARRAY_LEN(backtrace) - 1; + if (n == 0) return; + + fprintf(stream, "trace:\n"); + for (i=0; iflags; fprintf(stream, "trace:\n"); - for (i = 0; n--; i++) { - int ai = mrb_gc_arena_save(mrb); - struct backtrace_location *entry = &bt[n]; + for (i = 0; ifilename == NULL) continue; - fprintf(stream, "\t[%d] %s:%d", (int)i, entry->filename, entry->lineno); + fprintf(stream, "\t[%d] %s:%d", i, entry->filename, entry->lineno); if (entry->method_id != 0) { const char *method_name; @@ -196,6 +198,7 @@ mrb_unpack_backtrace(mrb_state *mrb, mrb_value backtrace) { struct backtrace_location *bt; mrb_int n, i; + int ai; if (mrb_nil_p(backtrace)) return mrb_ary_new_capa(mrb, 0); if (mrb_array_p(backtrace)) return backtrace; @@ -205,8 +208,8 @@ mrb_unpack_backtrace(mrb_state *mrb, mrb_value backtrace) } n = (mrb_int)RDATA(backtrace)->flags; backtrace = mrb_ary_new_capa(mrb, n); + ai = mrb_gc_arena_save(mrb); for (i = 0; i < n; i++) { - int ai = mrb_gc_arena_save(mrb); struct backtrace_location *entry = &bt[i]; mrb_value btline; -- cgit v1.2.3