Skip to content

M
mruby
Unverified Commit 4cf1da95 authored by Yukihiro "Matz" Matsumoto's avatar Yukihiro "Matz" Matsumoto
Browse files
Options

Separate jump destination check in `OP_R_RETURN`. 

In the past code, the current `callinfo (ci)` was modified, thus it was
possible to pop `ci` beyond the `cibase`, that could cause out of memory
bound access for the code like the following:

```ruby
def m2
  lambda {
    Proc.new {
      return :return # return from the method
    }
  }.call.call
  :never_reached
end

p m2
```
parent b01207ea
Show whitespace changes
Inline Side-by-side
Showing with 11 additions and 6 deletions
src/vm.c
View file @ 4cf1da95
...@@ -2029,11 +2029,20 @@ RETRY_TRY_BLOCK: ...@@ -2029,11 +2029,20 @@ RETRY_TRY_BLOCK:
goto L_RAISE; goto L_RAISE;
} }
} }
/* check jump destination */
while (cibase <= ci && ci->proc != dst) { while (cibase <= ci && ci->proc != dst) {
if (ci->acc < 0) { if (ci->acc < 0) { /* jump cross C boudary */
localjump_error(mrb, LOCALJUMP_ERROR_RETURN); localjump_error(mrb, LOCALJUMP_ERROR_RETURN);
goto L_RAISE; goto L_RAISE;
} }
ci--;
}
if (ci <= cibase) { /* no jump destination */
localjump_error(mrb, LOCALJUMP_ERROR_RETURN);
goto L_RAISE;
}
ci = mrb->c->ci;
while (cibase <= ci && ci->proc != dst) {
CHECKPOINT_RESTORE(RBREAK_TAG_RETURN_BLOCK) { CHECKPOINT_RESTORE(RBREAK_TAG_RETURN_BLOCK) {
cibase = mrb->c->cibase; cibase = mrb->c->cibase;
dst = top_proc(mrb, proc); dst = top_proc(mrb, proc);
...@@ -2045,12 +2054,8 @@ RETRY_TRY_BLOCK: ...@@ -2045,12 +2054,8 @@ RETRY_TRY_BLOCK:
pc = ci->pc; pc = ci->pc;
ci = cipop(mrb); ci = cipop(mrb);
} }
mrb->exc = NULL; /* clear break object */
proc = ci->proc; proc = ci->proc;
if (ci <= cibase) { mrb->exc = NULL; /* clear break object */
localjump_error(mrb, LOCALJUMP_ERROR_RETURN);
goto L_RAISE;
}
break; break;
} }
/* fallthrough */ /* fallthrough */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment