From 38f76cb57a3829653c0dbfc9b6c51d3501b92ca1 Mon Sep 17 00:00:00 2001
From: Yusuke Endoh <mame@ruby-lang.org>
Date: Thu, 28 Nov 2024 13:57:56 +0900
Subject: Avoid an operation on a pointer after free

A follow-up to ef59175a68c448fe334125824b477a9e1d5629bc. That commit
uses `&body->local_table[...]` but `body->local_table` is already freed.
I think it is an undefined behavior to calculate a pointer that exceeds
the bound by more than 1.

This change moves the free of `body->local_table` after the calculation.

Coverity Scan found this issue.
---
 iseq.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/iseq.c b/iseq.c
index 7f59ea0ceb..f5dced4f62 100644
--- a/iseq.c
+++ b/iseq.c
@@ -179,8 +179,6 @@ rb_iseq_free(const rb_iseq_t *iseq)
 #if VM_INSN_INFO_TABLE_IMPL == 2
         ruby_xfree(body->insns_info.succ_index_table);
 #endif
-        if (LIKELY(body->local_table != rb_iseq_shared_exc_local_tbl))
-            ruby_xfree((void *)body->local_table);
         ruby_xfree((void *)body->is_entries);
         ruby_xfree(body->call_data);
         ruby_xfree((void *)body->catch_table);
@@ -199,6 +197,8 @@ rb_iseq_free(const rb_iseq_t *iseq)
             }
             ruby_xfree((void *)body->param.keyword);
         }
+        if (LIKELY(body->local_table != rb_iseq_shared_exc_local_tbl))
+            ruby_xfree((void *)body->local_table);
         compile_data_free(ISEQ_COMPILE_DATA(iseq));
         if (body->outer_variables) rb_id_table_free(body->outer_variables);
         ruby_xfree(body);
-- 
cgit v1.2.3