Avoid an operation on a pointer after free

A follow-up to ef59175a68c448fe334125824b477a9e1d5629bc. That commit uses `&body->local_table[...]` but `body->local_table` is already freed. I think it is an undefined behavior to calculate a pointer that exceeds the bound by more than 1. This change moves the free of `body->local_table` after the calculation. Coverity Scan found this issue.
author: Yusuke Endoh <mame@ruby-lang.org> 2024-11-28 13:57:56 +0900
committer: Yusuke Endoh <mame@ruby-lang.org> 2024-11-28 14:49:37 +0900
commit: 38f76cb57a3829653c0dbfc9b6c51d3501b92ca1 (patch)
tree: 09b1776e943b015fabdf4600a4d2fa942e3797fa
parent: c0e607cef1fb6e1795b0969c1533b63dc349d484 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/iseq.c b/iseq.c
index 7f59ea0ceb..f5dced4f62 100644
--- a/iseq.c
+++ b/iseq.c
@@ -179,8 +179,6 @@ rb_iseq_free(const rb_iseq_t *iseq)
 #if VM_INSN_INFO_TABLE_IMPL == 2
         ruby_xfree(body->insns_info.succ_index_table);
 #endif
-        if (LIKELY(body->local_table != rb_iseq_shared_exc_local_tbl))
-            ruby_xfree((void *)body->local_table);
         ruby_xfree((void *)body->is_entries);
         ruby_xfree(body->call_data);
         ruby_xfree((void *)body->catch_table);
@@ -199,6 +197,8 @@ rb_iseq_free(const rb_iseq_t *iseq)
             }
             ruby_xfree((void *)body->param.keyword);
         }
+        if (LIKELY(body->local_table != rb_iseq_shared_exc_local_tbl))
+            ruby_xfree((void *)body->local_table);
         compile_data_free(ISEQ_COMPILE_DATA(iseq));
         if (body->outer_variables) rb_id_table_free(body->outer_variables);
         ruby_xfree(body);
author	Yusuke Endoh <mame@ruby-lang.org>	2024-11-28 13:57:56 +0900
committer	Yusuke Endoh <mame@ruby-lang.org>	2024-11-28 14:49:37 +0900
commit	38f76cb57a3829653c0dbfc9b6c51d3501b92ca1 (patch)
tree	09b1776e943b015fabdf4600a4d2fa942e3797fa
parent	c0e607cef1fb6e1795b0969c1533b63dc349d484 (diff)