diff options
author | Yusuke Endoh <mame@ruby-lang.org> | 2022-02-17 00:36:08 +0900 |
---|---|---|
committer | Yusuke Endoh <mame@ruby-lang.org> | 2022-02-17 01:43:59 +0900 |
commit | 5f01fba001c478834d97d8abf88b0cb6e235d436 (patch) | |
tree | 9e5ba47d479dba3eeb200d3323dfc4c542c8e91c /yjit_codegen.c | |
parent | fabf60c93bd742e49d72d3d7728a3977e4555cae (diff) |
yjit_codegen.c: Prevent a possible out-of-bound access
The code attempts to read `C_ARG_REGS[leaf_builtin->argc + 1]`, and the
size of `C_ARG_REGS` is `NUM_C_ARG_REGS`. So, the guard condition must
be `leaf_builtin->argc + 1 + 1 <= NUM_C_ARG_REGS`.
This change fixes the off-by-one error. This issue was found by Coverity
Scan.
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/5561
Diffstat (limited to 'yjit_codegen.c')
-rw-r--r-- | yjit_codegen.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/yjit_codegen.c b/yjit_codegen.c index afecf2fbf5..155aa4a41c 100644 --- a/yjit_codegen.c +++ b/yjit_codegen.c @@ -3702,7 +3702,7 @@ gen_send_iseq(jitstate_t *jit, ctx_t *ctx, const struct rb_callinfo *ci, const r const struct rb_builtin_function *leaf_builtin = rb_leaf_builtin_function(iseq); - if (leaf_builtin && !block && leaf_builtin->argc + 1 <= NUM_C_ARG_REGS) { + if (leaf_builtin && !block && leaf_builtin->argc + 1 /* for self */ + 1 /* for ec */ <= NUM_C_ARG_REGS) { ADD_COMMENT(cb, "inlined leaf builtin"); // Call the builtin func (ec, recv, arg1, arg2, ...) |