From ed65d04b816a4fc90f7656b9beb24ae741186485 Mon Sep 17 00:00:00 2001 From: Calvin Rose Date: Sun, 7 Apr 2019 15:14:54 -0400 Subject: [PATCH] Fix peg bug with arguments. By holding on a reference to argv for a long time, we may trigger a use after free bug if the stack is resized. In janet c function, argv is only vvalid up until the next stack operation on the fiber. We could say that this is the dynamic lifetime of argv. To fix this, we copy extra arguments into a tuple, which is properly garbage collected. --- src/core/peg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/peg.c b/src/core/peg.c index c5745dd5..1866ab8d 100644 --- a/src/core/peg.c +++ b/src/core/peg.c @@ -1033,7 +1033,7 @@ static Janet cfun_peg_match(int32_t argc, Janet *argv) { if (argc > 2) { start = janet_gethalfrange(argv, 2, bytes.len, "offset"); s.extrac = argc - 3; - s.extrav = argv + 3; + s.extrav = janet_tuple_n(argv + 3, argc - 3); } else { start = 0; s.extrac = 0;