From 3fefe52ffb7286d129167c092d7ccc2908c37292 Mon Sep 17 00:00:00 2001 From: Kouhei Sutou Date: Wed, 25 Feb 2015 00:13:40 +0900 Subject: Fix a crash bug on raising after realloc The following program reproduces this problem: #include static mrb_value recursive(mrb_state *mrb, mrb_value self) { mrb_int n; mrb_get_args(mrb, "i", &n); if (n == 0) { mrb_raise(mrb, E_RUNTIME_ERROR, "XXX"); } else { mrb_funcall(mrb, self, "recursive", 1, mrb_fixnum_value(n - 1)); } return self; } int main(void) { mrb_state *mrb; mrb = mrb_open(); mrb_define_method(mrb, mrb->kernel_module, "recursive", recursive, MRB_ARGS_REQ(1)); mrb_funcall(mrb, mrb_top_self(mrb), "recursive", 1, mrb_fixnum_value(30)); mrb_close(mrb); } Recursive method call isn't required. It's just for expanding call info stack. If mrb_realloc() is called in cipush(), cibase address is changed. So, we shouldn't compare ci before mrb_realloc() and cibase after mrb_realloc(). It accesses unknown address and causes crash. --- src/vm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/vm.c b/src/vm.c index 3734ccaf8..9004c236e 100644 --- a/src/vm.c +++ b/src/vm.c @@ -316,7 +316,7 @@ mrb_funcall_with_block(mrb_state *mrb, mrb_value self, mrb_sym mid, mrb_int argc if (!mrb->jmp) { struct mrb_jmpbuf c_jmp; - mrb_callinfo *old_ci = mrb->c->ci; + size_t nth_ci = mrb->c->ci - mrb->c->cibase; MRB_TRY(&c_jmp) { mrb->jmp = &c_jmp; @@ -325,7 +325,7 @@ mrb_funcall_with_block(mrb_state *mrb, mrb_value self, mrb_sym mid, mrb_int argc mrb->jmp = 0; } MRB_CATCH(&c_jmp) { /* error */ - while (old_ci != mrb->c->ci) { + while (nth_ci < (mrb->c->ci - mrb->c->cibase)) { mrb->c->stack = mrb->c->ci->stackent; cipop(mrb); } -- cgit v1.2.3