From 5f01fba001c478834d97d8abf88b0cb6e235d436 Mon Sep 17 00:00:00 2001
From: Yusuke Endoh <mame@ruby-lang.org>
Date: Thu, 17 Feb 2022 00:36:08 +0900
Subject: yjit_codegen.c: Prevent a possible out-of-bound access

The code attempts to read `C_ARG_REGS[leaf_builtin->argc + 1]`, and the
size of `C_ARG_REGS` is `NUM_C_ARG_REGS`.  So, the guard condition must
be `leaf_builtin->argc + 1 + 1 <= NUM_C_ARG_REGS`.

This change fixes the off-by-one error. This issue was found by Coverity
Scan.
---
 yjit_codegen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'yjit_codegen.c')

diff --git a/yjit_codegen.c b/yjit_codegen.c
index afecf2fbf5..155aa4a41c 100644
--- a/yjit_codegen.c
+++ b/yjit_codegen.c
@@ -3702,7 +3702,7 @@ gen_send_iseq(jitstate_t *jit, ctx_t *ctx, const struct rb_callinfo *ci, const r
 
     const struct rb_builtin_function *leaf_builtin = rb_leaf_builtin_function(iseq);
 
-    if (leaf_builtin && !block && leaf_builtin->argc + 1 <= NUM_C_ARG_REGS) {
+    if (leaf_builtin && !block && leaf_builtin->argc + 1 /* for self */ + 1 /* for ec */ <= NUM_C_ARG_REGS) {
         ADD_COMMENT(cb, "inlined leaf builtin");
 
         // Call the builtin func (ec, recv, arg1, arg2, ...)
-- 
cgit v1.2.3