Permalink
Browse files

Fix a buffer overflow in the LLVM backend. Fixes #8502.

  • Loading branch information...
1 parent 1fda4fa commit 9d0290d3fdcd6676ffbb5e4f64e34c04e77669cb @vargaz vargaz committed Nov 22, 2012
Showing with 6 additions and 2 deletions.
  1. +6 −2 mono/mini/mini-llvm.c
View
8 mono/mini/mini-llvm.c
@@ -1821,7 +1821,7 @@ process_call (EmitContext *ctx, MonoBasicBlock *bb, LLVMBuilderRef *builder_ref,
LLVMValueRef *args;
LLVMCallInfo *cinfo;
GSList *l;
- int i, len;
+ int i, len, nargs;
gboolean vretaddr;
LLVMTypeRef llvm_sig;
gpointer target;
@@ -1943,23 +1943,27 @@ process_call (EmitContext *ctx, MonoBasicBlock *bb, LLVMBuilderRef *builder_ref,
/*
* Collect and convert arguments
*/
- len = sizeof (LLVMValueRef) * ((sig->param_count * 2) + sig->hasthis + vretaddr + call->rgctx_reg);
+ nargs = (sig->param_count * 2) + sig->hasthis + vretaddr + call->rgctx_reg + call->imt_arg_reg;
+ len = sizeof (LLVMValueRef) * nargs;
args = alloca (len);
memset (args, 0, len);
l = call->out_ireg_args;
if (call->rgctx_arg_reg) {
g_assert (values [call->rgctx_arg_reg]);
+ g_assert (sinfo.rgctx_arg_pindex < nargs);
args [sinfo.rgctx_arg_pindex] = values [call->rgctx_arg_reg];
}
if (call->imt_arg_reg) {
g_assert (values [call->imt_arg_reg]);
+ g_assert (sinfo.imt_arg_pindex < nargs);
args [sinfo.imt_arg_pindex] = values [call->imt_arg_reg];
}
if (vretaddr) {
if (!addresses [call->inst.dreg])
addresses [call->inst.dreg] = build_alloca (ctx, sig->ret);
+ g_assert (sinfo.vret_arg_pindex < nargs);
args [sinfo.vret_arg_pindex] = LLVMBuildPtrToInt (builder, addresses [call->inst.dreg], IntPtrType (), "");
}

0 comments on commit 9d0290d

Please sign in to comment.