Fix buffer overrun in ivars when rebuilding shapes

peterzhu2118 · peterzhu2118 · commit 5dcbe5883364 · 2022-11-15T08:53:46.000-05:00
In rb_shape_rebuild_shape, we need to increase the capacity when capacity == next_iv_index since the next ivar will be writing at index next_iv_index. This bug can be reproduced when assertions are turned on and you run the following code: class Foo def initialize @A1 = 1 @a2 = 1 @A3 = 1 @a4 = 1 @A5 = 1 @a6 = 1 @a7 = 1 end def add_ivars @a8 = 1 @a9 = 1 end end class Bar < Foo end foo = Foo.new foo.add_ivars bar = Bar.new GC.start bar.add_ivars bar.clone You will get the following crash: Assertion Failed: object.c:301:rb_obj_copy_ivar:src_num_ivs <= shape_to_set_on_dest->capacity
diff --git a/shape.c b/shape.c
@@ -342,7 +342,7 @@ rb_shape_rebuild_shape(rb_shape_t * initial_shape, rb_shape_t * dest_shape)
 
     switch (dest_shape->type) {
         case SHAPE_IVAR:
-            if (midway_shape->capacity < midway_shape->next_iv_index) {
+            if (midway_shape->capacity <= midway_shape->next_iv_index) {
                 // There isn't enough room to write this IV, so we need to increase the capacity
                 midway_shape = rb_shape_transition_shape_capa(midway_shape, midway_shape->capacity * 2);
             }

Original file line number	Diff line number	Diff line change
`@@ -342,7 +342,7 @@ rb_shape_rebuild_shape(rb_shape_t * initial_shape, rb_shape_t * dest_shape)`
`342`	`342`
`343`	`343`	`switch (dest_shape->type) {`
`344`	`344`	`case SHAPE_IVAR:`
`345`		`- if (midway_shape->capacity < midway_shape->next_iv_index) {`
	`345`	`+ if (midway_shape->capacity <= midway_shape->next_iv_index) {`
`346`	`346`	`// There isn't enough room to write this IV, so we need to increase the capacity`
`347`	`347`	`midway_shape = rb_shape_transition_shape_capa(midway_shape, midway_shape->capacity * 2);`
`348`	`348`	`}`