Crash on oom#19
Conversation
|
@msantos I wish I noticed this PR last week. I fixed a few bugs in erlang_js that were causing segfaults on otp 15B and having never looked at the erlang_js code I didn't know we were so vulnerable to OOM. Thanks for the PR, I'll try and look at this after our next release. |
Since driver_alloc() returns void, the cast is not required. Simplify the buffer size calculation as sizeof(char) is defined to be 1.
According to the man page for erl_driver, driver_alloc is a wrapper
around malloc():
This function allocates a memory block of the size specified in size,
and returns it. This only fails on out of memory, in that case NULL
is returned. (This is most often a wrapper for malloc).
Test for OOM and crash the VM to prevent buffer overflows.
Avoid zeroing buffers that will have their contents overwritten.
Suppress compiler warning:
c_src/spidermonkey.c: In function ‘sm_initialize’:
c_src/spidermonkey.c:165:21: warning: passing argument 4 of
‘JS_DefineFunction’ from incompatible pointer type [enabled by default]
c_src/system/include/js/jsapi.h:1905:1: note: expected ‘JSNative’ but
argument is of type ‘JSBool (**)(struct JSContext *, struct JSObject *,
uintN, jsval *, jsval *)’
|
Thanks for looking at it! I've reapplied my patches on top of your changes. |
There was a problem hiding this comment.
* sizeof(char); doesn't seem like it should've been removed
There was a problem hiding this comment.
On Tue, Jun 12, 2012 at 09:03:24AM -0700, Jared Morrow wrote:
@@ -240,8 +241,8 @@ char escape_quotes(char *text) {
char *error_to_json(const spidermonkey_error *error) {
char *escaped_source = escape_quotes(error->offending_source);
/ size = length(escaped source) + length(error msg) + JSON formatting */
- size_t size = (strlen(escaped_source) + strlen(error->msg) + 80) * sizeof(char);
- char *retval = (char *) driver_alloc((ErlDrvSizeT) size);
- size_t size = strlen(escaped_source) + strlen(error->msg) + 80;
* sizeof(char);doesn't seem like it should've been removed
sizeof(char) will always be 1. Removing it is sort of pedantic, but it
simplifies the code a bit.
There was a problem hiding this comment.
Please ignore me while I confuse sizeof(char) with CHAR_BITS, sorry.
ghost
assigned
|
+1 |
1 similar comment
|
+1 |
|
+1 Looks good. It might be nice for maintenance to peek at (driver_comm.c, 37) using the copy_string() Not created in this change, but copy_string() might be better-named ejs_strdup() to be |
5 participants
Some small safety fixes, if anything looks weird or you'd like some changes, please let me know! I've run the tests and everything passed.