Skip to content

Commit

Permalink
Avoid out-of-bound access of VM stack in OP_SENDB; fix #3692
Browse files Browse the repository at this point in the history
  • Loading branch information
@matz
matz committed Jun 13, 2017
1 parent b9f771d commit edb5b36
Showing 1 changed file with 3 additions and 4 deletions.
7 changes: 3 additions & 4 deletions src/vm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1245,6 +1245,7 @@ mrb_vm_exec(mrb_state *mrb, struct RProc *proc, mrb_code *pc)
mrb_value recv, result;
mrb_sym mid = syms[GETARG_B(i)];
int bidx;
mrb_value blk;

recv = regs[a];
if (n == CALL_MAXARGS) {
Expand All @@ -1259,6 +1260,7 @@ mrb_vm_exec(mrb_state *mrb, struct RProc *proc, mrb_code *pc)
mrb->c->ci->nregs = bidx+1;
}
SET_NIL_VALUE(regs[bidx]);
SET_NIL_VALUE(blk);
}
else {
mrb_value blk = regs[bidx];
Expand All @@ -1268,7 +1270,7 @@ mrb_vm_exec(mrb_state *mrb, struct RProc *proc, mrb_code *pc)
mrb->c->ci->nregs = bidx+1;
}
result = mrb_convert_type(mrb, blk, MRB_TT_PROC, "Proc", "to_proc");
regs[bidx] = result;
blk = regs[bidx] = result;
}
}
c = mrb_class(mrb, recv);
Expand Down Expand Up @@ -1331,9 +1333,6 @@ mrb_vm_exec(mrb_state *mrb, struct RProc *proc, mrb_code *pc)
if (mrb->exc) goto L_RAISE;
ci = mrb->c->ci;
if (GET_OPCODE(i) == OP_SENDB) {
mrb_value blk;

blk = ci->stackent[bidx];
if (mrb_type(blk) == MRB_TT_PROC) {
struct RProc *p = mrb_proc_ptr(blk);

Expand Down

0 comments on commit edb5b36

Please sign in to comment.