Skip to content

M
mruby
Commit a137ef12 authored by dearblue's avatar dearblue
Browse files
Options

Get object properties after `mrb_get_args()` 

ref. #5613

I checked with Valgrind, and the methods that can cause use-after-free are `Array#rotate`, `Array#rotate!`, and `String#byteslice`.
Since `String#rindex` uses `RSTRING_LEN()` indirectly inside the function, no reference to the out-of-bounds range is generated.
parent 41e8b210
Show whitespace changes
Inline Side-by-side
Showing with 15 additions and 7 deletions
mrbgems/mruby-array-ext/src/array.c
View file @ a137ef12
...@@ -264,12 +264,14 @@ mrb_ary_compact_bang(mrb_state *mrb, mrb_value self) ...@@ -264,12 +264,14 @@ mrb_ary_compact_bang(mrb_state *mrb, mrb_value self)
static mrb_value static mrb_value
mrb_ary_rotate(mrb_state *mrb, mrb_value self) mrb_ary_rotate(mrb_state *mrb, mrb_value self)
{ {
mrb_int count=1;
mrb_get_args(mrb, "|i", &count);
mrb_value ary = mrb_ary_new(mrb); mrb_value ary = mrb_ary_new(mrb);
mrb_int len = RARRAY_LEN(self); mrb_int len = RARRAY_LEN(self);
mrb_value *p = RARRAY_PTR(self); mrb_value *p = RARRAY_PTR(self);
mrb_int count=1, idx; mrb_int idx;
mrb_get_args(mrb, "|i", &count);
if (len <= 0) return ary; if (len <= 0) return ary;
if (count < 0) { if (count < 0) {
idx = len - (~count % len) - 1; idx = len - (~count % len) - 1;
...@@ -313,12 +315,14 @@ rev(mrb_value *p, mrb_int beg, mrb_int end) ...@@ -313,12 +315,14 @@ rev(mrb_value *p, mrb_int beg, mrb_int end)
static mrb_value static mrb_value
mrb_ary_rotate_bang(mrb_state *mrb, mrb_value self) mrb_ary_rotate_bang(mrb_state *mrb, mrb_value self)
{ {
mrb_int count=1;
mrb_get_args(mrb, "|i", &count);
struct RArray *a = mrb_ary_ptr(self); struct RArray *a = mrb_ary_ptr(self);
mrb_int len = ARY_LEN(a); mrb_int len = ARY_LEN(a);
mrb_value *p = ARY_PTR(a); mrb_value *p = ARY_PTR(a);
mrb_int count=1, idx; mrb_int idx;
mrb_get_args(mrb, "|i", &count);
mrb_ary_modify(mrb, a); mrb_ary_modify(mrb, a);
if (len == 0 || count == 0) return self; if (len == 0 || count == 0) return self;
if (count == 1) { if (count == 1) {
......
src/string.c
View file @ a137ef12
...@@ -2047,9 +2047,11 @@ static mrb_value ...@@ -2047,9 +2047,11 @@ static mrb_value
mrb_str_rindex(mrb_state *mrb, mrb_value str) mrb_str_rindex(mrb_state *mrb, mrb_value str)
{ {
mrb_value sub; mrb_value sub;
mrb_int pos, len = RSTRING_CHAR_LEN(str); mrb_int pos;
int argc = mrb_get_args(mrb, "S|i", &sub, &pos);
mrb_int len = RSTRING_CHAR_LEN(str);
if (mrb_get_args(mrb, "S|i", &sub, &pos) == 1) { if (argc == 1) {
pos = len; pos = len;
} }
else { else {
...@@ -2828,16 +2830,18 @@ static mrb_value ...@@ -2828,16 +2830,18 @@ static mrb_value
mrb_str_byteslice(mrb_state *mrb, mrb_value str) mrb_str_byteslice(mrb_state *mrb, mrb_value str)
{ {
mrb_value a1; mrb_value a1;
mrb_int str_len = RSTRING_LEN(str), beg, len; mrb_int str_len, beg, len;
mrb_bool empty = TRUE; mrb_bool empty = TRUE;
len = mrb_get_argc(mrb); len = mrb_get_argc(mrb);
switch (len) { switch (len) {
case 2: case 2:
mrb_get_args(mrb, "ii", &beg, &len); mrb_get_args(mrb, "ii", &beg, &len);
str_len = RSTRING_LEN(str);
break; break;
case 1: case 1:
a1 = mrb_get_arg1(mrb); a1 = mrb_get_arg1(mrb);
str_len = RSTRING_LEN(str);
if (mrb_range_p(a1)) { if (mrb_range_p(a1)) {
if (mrb_range_beg_len(mrb, a1, &beg, &len, str_len, TRUE) != MRB_RANGE_OK) { if (mrb_range_beg_len(mrb, a1, &beg, &len, str_len, TRUE) != MRB_RANGE_OK) {
return mrb_nil_value(); return mrb_nil_value();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment