Restrict total recursion number of `ecall()`; fix #3789

86d10235 · Yukihiro "Matz" Matsumoto · afd46ecc · 86d10235 · 86d10235
Commit 86d10235 authored Nov 20, 2018 by Yukihiro "Matz" Matsumoto
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

include/mruby.h include/mruby.h +2 -1

src/vm.c src/vm.c +4 -2

No files found.
--- a/include/mruby.h
+++ b/include/mruby.h
@@ -267,7 +267,8 @@ typedef struct mrb_state {
 #else
  mrb_atexit_func *atexit_stack;
 #endif
-  mrb_int atexit_stack_len;
+  uint16_t atexit_stack_len;
+  uint16_t ecall_nest;                    /* prevent infinite recursive ecall() */
 } mrb_state;
 /**

--- a/src/vm.c
+++ b/src/vm.c
@@ -55,7 +55,7 @@ void abort(void);
 /* Maximum depth of ecall() recursion. */
 #ifndef MRB_ECALL_DEPTH_MAX
-#define MRB_ECALL_DEPTH_MAX 32
+#define MRB_ECALL_DEPTH_MAX 512
 #endif
 /* Maximum stack depth. Should be set lower on memory constrained systems.
@@ -337,7 +337,8 @@ ecall(mrb_state *mrb)
  int nregs;
  if (i<0) return;
-  if (ci - c->cibase > MRB_ECALL_DEPTH_MAX) {
+  /* restrict total call depth of ecall() */
+  if (++mrb->ecall_nest > MRB_ECALL_DEPTH_MAX) {
    mrb_exc_raise(mrb, mrb_obj_value(mrb->stack_err));
  }
  p = c->ensure[i];
@@ -372,6 +373,7 @@ ecall(mrb_state *mrb)
  c->ci = c->cibase + cioff;
  if (!mrb->exc) mrb->exc = exc;
  mrb_gc_arena_restore(mrb, ai);
+  mrb->ecall_nest--;
 }
 #ifndef MRB_FUNCALL_ARGC_MAX