From df13d418c31856baed5bcba4636b9677c74b613c Mon Sep 17 00:00:00 2001
From: Horimoto Yasuhiro <horimoto@clear-code.com>
Date: Sun, 29 Nov 2020 14:52:37 +0900
Subject: Fix heap buffer overflow when dump irep

Currently, the size of writing in heap by write_irep_record() is
bigger than The size that is calculated by get_irep_record_size.

Therefore, irep is dumped over the size of allocating memory when we
execute dump_irep().
---
 src/dump.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/dump.c')

diff --git a/src/dump.c b/src/dump.c
index a79df597b..a4ccac139 100644
--- a/src/dump.c
+++ b/src/dump.c
@@ -293,6 +293,7 @@ get_irep_record_size_1(mrb_state *mrb, const mrb_irep *irep)
   size_t size = 0;
 
   size += get_irep_header_size(mrb);
+  size += sizeof(uint16_t);
   size += get_iseq_block_size(mrb, irep);
   size += get_catch_table_block_size(mrb, irep);
   size += get_pool_block_size(mrb, irep);
-- 
cgit v1.2.3