Mercurial > octave

changeset 32197:aa038131581c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
VM: Prevent out-of-bounds read (patch #10365). Prefetching of 'arg0' for single byte opcodes leads to reading past the end of the array that stores the opcodes. * libinterp/parse-tree/pt-bytecode-vm.cc (vm::execute_code): Append dummy opcode.
author Petter T. <petter.vilhelm@gmail.com>
date Sat, 24 Jun 2023 01:19:50 +0200
parents 4b48ab05ba02
children 77cda48abf10
files libinterp/parse-tree/pt-bytecode-walk.cc
diffstat 1 files changed, 5 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/libinterp/parse-tree/pt-bytecode-walk.cc	Thu Jun 15 11:11:37 2023 +0200
+++ b/libinterp/parse-tree/pt-bytecode-walk.cc	Sat Jun 24 01:19:50 2023 +0200
@@ -2314,6 +2314,11 @@
   // Set the amount of locals that has a placeholder since earlier
   SET_CODE_SHORT (m_offset_n_locals, m_n_locals);
 
+  // When the last byte of opcode, a 'RET', is to be executed, the VM reads the
+  // next byte of code and puts it in 'arg0'.  So, we need to add a dummy
+  // opcode afterwards to prevent out-of-bounds reads.
+  PUSH_CODE (INSTR::RET);
+
   // We want to add the locals to the scope in slot order
   // so we push all the locals' names to a vector by their slot
   // number
@@ -4952,4 +4957,3 @@
   PUSH_NEED_CONTINUE_TARGET (CODE_SIZE ());
   PUSH_CODE_SHORT (-1); // Placeholder
 }
-