Merge pull request #3991 from take-cheeze/fix_eval_env_gc

Fix possible heap use after free in `mrb_exec_irep` and stack expanding.

Merge pull request #3991 from take-cheeze/fix_eval_env_gc
Fix possible heap use after free in `mrb_exec_irep` and stack expanding.
e9ddb593 · Yukihiro "Matz" Matsumoto · GitHub · f23c3cdd · 26e436e2 · e9ddb593
Unverified Commit e9ddb593 authored Apr 05, 2018 by Yukihiro "Matz" Matsumoto Committed by GitHub Apr 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

src/vm.c src/vm.c +12 -0

No files found.
--- a/src/vm.c
+++ b/src/vm.c
@@ -156,6 +156,18 @@ envadjust(mrb_state *mrb, mrb_value *oldbase, mrb_value *newbase, size_t size)

      e->stack = newbase + off;
    }
+
+    if (ci->proc && MRB_PROC_ENV_P(ci->proc) && ci->env != MRB_PROC_ENV(ci->proc)) {
+      e = MRB_PROC_ENV(ci->proc);
+
+      if (e && MRB_ENV_STACK_SHARED_P(e) &&
+          (st = e->stack) && oldbase <= st && st < oldbase+size) {
+        ptrdiff_t off = e->stack - oldbase;
+
+        e->stack = newbase + off;
+      }
+    }
+
    ci->stackent = newbase + (ci->stackent - oldbase);
    ci++;
  }