mirrors/janet
1
0
Fork 0
mirror of https://github.com/janet-lang/janet synced 2025-05-05 08:54:15 +00:00
Code Issues 1 Releases Wiki Activity

Address similar issue to #86

Browse Source 
buffer/blit could trigger a use after free if a buffer is
blitted with itself and modifies its length.
This commit is contained in:
Calvin Rose 2019-05-08 08:55:43 -04:00
parent ff720f1320
commit 65ac17986a
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/buffer.c
View File

@ -296,6 +296,7 @@ static Janet cfun_buffer_blit(int32_t argc, Janet *argv) {
janet_arity(argc, 2, 5); janet_arity(argc, 2, 5);
JanetBuffer *dest = janet_getbuffer(argv, 0); JanetBuffer *dest = janet_getbuffer(argv, 0);
JanetByteView src = janet_getbytes(argv, 1); JanetByteView src = janet_getbytes(argv, 1);
int same_buf = src.bytes == dest->data;
int32_t offset_dest = 0; int32_t offset_dest = 0;
int32_t offset_src = 0; int32_t offset_src = 0;
if (argc > 2) if (argc > 2)
@ -314,6 +315,7 @@ static Janet cfun_buffer_blit(int32_t argc, Janet *argv) {
if (last > INT32_MAX) if (last > INT32_MAX)
janet_panic("buffer blit out of range"); janet_panic("buffer blit out of range");
janet_buffer_ensure(dest, (int32_t) last, 2); janet_buffer_ensure(dest, (int32_t) last, 2);
if (same_buf) src.bytes = dest->data;
if (last > dest->count) dest->count = (int32_t) last; if (last > dest->count) dest->count = (int32_t) last;
memcpy(dest->data + offset_dest, src.bytes + offset_src, length_src); memcpy(dest->data + offset_dest, src.bytes + offset_src, length_src);
return argv[0]; return argv[0];

8
test/suite2.janet
View File

@ -46,6 +46,14 @@
(assert (= txs '[[-1 -1] [-1 0] [-1 1] [0 -1] [0 1] [1 -1] [1 0] [1 1]]) "nested seq") (assert (= txs '[[-1 -1] [-1 0] [-1 1] [0 -1] [0 1] [1 -1] [1 0] [1 1]]) "nested seq")
# Buffer self blitting, check for use after free
(def buf1 @"1234567890")
(buffer/blit buf1 buf1 -1)
(buffer/blit buf1 buf1 -1)
(buffer/blit buf1 buf1 -1)
(buffer/blit buf1 buf1 -1)
(assert (= (string buf1) (string/repeat "1234567890" 16)) "buffer blit against self")
# Generators # Generators
(def gen (generate [x :range [0 100] :when (pos? (% x 4))] x)) (def gen (generate [x :range [0 100] :when (pos? (% x 4))] x))
(var gencount 0) (var gencount 0)