Merge pull request #2728 from govm/fix-dereference-invalid-argv

fix pointer dereference after realloc

Merge pull request #2728 from govm/fix-dereference-invalid-argv
fix pointer dereference after realloc
d0bc006a · Yukihiro "Matz" Matsumoto · 44d8a40b · 42d23084 · d0bc006a
Commit d0bc006a authored Feb 24, 2015 by Yukihiro "Matz" Matsumoto
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

src/vm.c src/vm.c +7 -0

No files found.
--- a/src/vm.c
+++ b/src/vm.c
@@ -340,6 +340,7 @@ mrb_funcall_with_block(mrb_state *mrb, mrb_value self, mrb_sym mid, mrb_int argc
    mrb_sym undef = 0;
    mrb_callinfo *ci;
    int n;
+    ptrdiff_t voff = -1;
    if (!mrb->c->stack) {
      stack_init(mrb);
@@ -363,6 +364,9 @@ mrb_funcall_with_block(mrb_state *mrb, mrb_value self, mrb_sym mid, mrb_int argc
    ci->argc = argc;
    ci->target_class = c;
    mrb->c->stack = mrb->c->stack + n;
+    if (mrb->c->stbase <= argv && argv < mrb->c->stend) {
+      voff = argv - mrb->c->stbase;
+    }
    if (MRB_PROC_CFUNC_P(p)) {
      ci->nregs = argc + 2;
      stack_extend(mrb, ci->nregs, 0);
@@ -371,6 +375,9 @@ mrb_funcall_with_block(mrb_state *mrb, mrb_value self, mrb_sym mid, mrb_int argc
      ci->nregs = p->body.irep->nregs + n;
      stack_extend(mrb, ci->nregs, argc+2);
    }
+    if (voff >= 0) {
+      argv = mrb->c->stbase + voff;
+    }
    mrb->c->stack[0] = self;
    if (undef) {
      mrb->c->stack[1] = mrb_symbol_value(undef);