From 4cf1da9542d6554ec23de6324c5f2d5eebe138c9 Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Tue, 1 Sep 2020 18:06:49 +0900 Subject: Separate jump destination check in `OP_R_RETURN`. In the past code, the current `callinfo (ci)` was modified, thus it was possible to pop `ci` beyond the `cibase`, that could cause out of memory bound access for the code like the following: ```ruby def m2 lambda { Proc.new { return :return # return from the method } }.call.call :never_reached end p m2 ``` --- src/vm.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/vm.c b/src/vm.c index bff13af10..b282af260 100644 --- a/src/vm.c +++ b/src/vm.c @@ -2029,11 +2029,20 @@ RETRY_TRY_BLOCK: goto L_RAISE; } } + /* check jump destination */ while (cibase <= ci && ci->proc != dst) { - if (ci->acc < 0) { + if (ci->acc < 0) { /* jump cross C boudary */ localjump_error(mrb, LOCALJUMP_ERROR_RETURN); goto L_RAISE; } + ci--; + } + if (ci <= cibase) { /* no jump destination */ + localjump_error(mrb, LOCALJUMP_ERROR_RETURN); + goto L_RAISE; + } + ci = mrb->c->ci; + while (cibase <= ci && ci->proc != dst) { CHECKPOINT_RESTORE(RBREAK_TAG_RETURN_BLOCK) { cibase = mrb->c->cibase; dst = top_proc(mrb, proc); @@ -2045,12 +2054,8 @@ RETRY_TRY_BLOCK: pc = ci->pc; ci = cipop(mrb); } - mrb->exc = NULL; /* clear break object */ proc = ci->proc; - if (ci <= cibase) { - localjump_error(mrb, LOCALJUMP_ERROR_RETURN); - goto L_RAISE; - } + mrb->exc = NULL; /* clear break object */ break; } /* fallthrough */ -- cgit v1.2.3