Thanks to visit codestin.com
Credit goes to github.com

Skip to content

vere: fixes buffer overflow in off-loom jam #5323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 12, 2021
Merged

vere: fixes buffer overflow in off-loom jam #5323

merged 2 commits into from
Oct 12, 2021

Conversation

@joemfb
Copy link
Collaborator

@joemfb joemfb commented Oct 12, 2021

This PR fixes a bug in the use of an explicit "stack" in the preorder noun traversal used for off-loom noun serialization (jam). The bug was a "fencepost" error in resizing the "stack" (just an array), the size was checked before incrementing instead of after as it should have been. The bug was unobservable (at least on MacOS and older versions of the linux build) due to the alignment of the allocations in question.

The implementation was a little too cute with pointer caching, and has been refactored to use the array more conventionally. This PR also fixes a (small) memory leak in the jam handle destructor.

This should unblock testing of or workarounds for #5304.

@joemfb joemfb requested a review from eamsden October 12, 2021 16:29
eamsden
eamsden approved these changes Oct 12, 2021
View reviewed changes
Copy link
Collaborator

@eamsden eamsden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, it follows the old logic very closely but keeps explicit track of how much of the stack is used.

pkg/urbit/ur/hashcons.c
*w->top = ref;

while ( w->top != don ) {
do {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this is changed to do-while to avoid a branch when we know the first iteration will always happen because of fill = 1 just above?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's right. And we're no longer keeping pointers to both the start and end of the array, so loop condition is changed to just ( fill ).

(The on-loom version of this function is u3a_walk_fore(), which now uses an api for stack manipulation. This code had been written to try to closely match that as it was before the api was introduced. But that was overly-complicated and wrong ... See #3433 and #3490)

@joemfb joemfb merged commit 5ad4548 into release/next-vere Oct 12, 2021
@joemfb joemfb deleted the jb/ur-jam-overflow branch October 12, 2021 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eamsden eamsden eamsden approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joemfb @eamsden