Address #336 case 4

Set funcenv fields to NULL before any possible panics.
2020-04-05 19:18:59 -05:00 · 2020-04-05 19:18:59 -05:00 · fcc610f539
parent 5bbd507858
commit fcc610f539
2 changed files with 16 additions and 1 deletions
--- a/src/core/marsh.c
+++ b/src/core/marsh.c
@ -711,8 +711,9 @@ static const uint8_t *unmarshal_one_env(
        JanetFuncEnv *env = janet_gcalloc(JANET_MEMORY_FUNCENV, sizeof(JanetFuncEnv));
        env->length = 0;
        env->offset = 0;
+        env->as.values = NULL;
        janet_v_push(st->lookup_envs, env);
-        int32_t offset = readint(st, &data);
+        int32_t offset = readnat(st, &data);
        int32_t length = readnat(st, &data);
        if (offset > 0) {
            Janet fiberv;
@ -727,6 +728,9 @@ static const uint8_t *unmarshal_one_env(
                janet_panic("invalid funcenv length");
        } else {
            /* Off stack variant */
+            if (length == 0) {
+                janet_panic("invalid funcenv length");
+            }
            env->as.values = malloc(sizeof(Janet) * (size_t) length);
            if (!env->as.values) {
                JANET_OUT_OF_MEMORY;
@ -980,6 +984,9 @@ static const uint8_t *unmarshal_one_fiber(
            frameflags &= ~JANET_STACKFRAME_HASENV;
            int32_t offset = stack;
            int32_t length = stacktop - stack;
+            if (length <= 0) {
+                janet_panic("invalid funcenv length");
+            }
            data = unmarshal_one_env(st, data, &env, flags + 1);
            if (env->offset != 0 && env->offset != offset)
                janet_panic("funcenv offset does not match fiber frame");
--- a/test/suite8.janet
+++ b/test/suite8.janet
@ -213,5 +213,13 @@
 (assert-error "unmarshal errors 1" (unmarshal @"\xd6\xb9\xb9"))
 (assert-error "unmarshal errors 2" (unmarshal @"\xd7bc"))
 (assert-error "unmarshal errors 3" (unmarshal "\xd3\x01\xd9\x01\x62\xcf\x03\x78\x79\x7a" load-image-dict))
+(assert-error "unmarshal errors 4"
+              (unmarshal
+                @"\xD7\xCD\0e/p\x98\0\0\x03\x01\x01\x01\x02\0\0\x04\0\xCEe/p../tools
+                \0\0\0/afl\0\0\x01\0erate\xDE\xDE\xDE\xDE\xDE\xDE\xDE\xDE\xDE\xDE
+                \xA8\xDE\xDE\xDE\xDE\xDE\xDE\0\0\0\xDE\xDE_unmarshal_testcase3.ja
+                neldb\0\0\0\xD8\x05printG\x01\0\xDE\xDE\xDE'\x03\0marshal_tes/\x02
+                \0\0\0\0\0*\xFE\x01\04\x02\0\0'\x03\0\r\0\r\0\r\0\r" load-image-dict))
+

 (end-suite)