aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pall <mike>2022-12-07 17:19:29 +0100
committerMike Pall <mike>2022-12-07 17:19:29 +0100
commitcc96ab9d513582703f8663a8775a935b56db32b7 (patch)
treee30f386a3eb8365aff7a0a51a072f212326f1461
parent1c5113aea9b5b8c1477332b8b3aa3cf47372b596 (diff)
downloadluajit-cc96ab9d513582703f8663a8775a935b56db32b7.tar.gz
luajit-cc96ab9d513582703f8663a8775a935b56db32b7.tar.bz2
luajit-cc96ab9d513582703f8663a8775a935b56db32b7.zip
FFI: Fix dangling reference to CType. Improve checks.
Reported by elmknot.
Diffstat
-rw-r--r--src/lj_crecord.c4
-rw-r--r--src/lj_ctype.c12
2 files changed, 16 insertions, 0 deletions
diff --git a/src/lj_crecord.c b/src/lj_crecord.c
index 3f3552a6..2fcc6d1c 100644
--- a/src/lj_crecord.c
+++ b/src/lj_crecord.c
@@ -1396,9 +1396,13 @@ void LJ_FASTCALL recff_cdata_arith(jit_State *J, RecordFFData *rd)
1396 if (ctype_isenum(ct->info)) ct = ctype_child(cts, ct); 1396 if (ctype_isenum(ct->info)) ct = ctype_child(cts, ct);
1397 goto ok; 1397 goto ok;
1398 } else if (ctype_isfunc(ct->info)) { 1398 } else if (ctype_isfunc(ct->info)) {
1399 CTypeID id0 = i ? ctype_typeid(cts, s[0]) : 0;
1399 tr = emitir(IRT(IR_FLOAD, IRT_PTR), tr, IRFL_CDATA_PTR); 1400 tr = emitir(IRT(IR_FLOAD, IRT_PTR), tr, IRFL_CDATA_PTR);
1400 ct = ctype_get(cts, 1401 ct = ctype_get(cts,
1401 lj_ctype_intern(cts, CTINFO(CT_PTR, CTALIGN_PTR|id), CTSIZE_PTR)); 1402 lj_ctype_intern(cts, CTINFO(CT_PTR, CTALIGN_PTR|id), CTSIZE_PTR));
1403 if (i) {
1404 s[0] = ctype_get(cts, id0); /* cts->tab may have been reallocated. */
1405 }
1402 goto ok; 1406 goto ok;
1403 } else { 1407 } else {
1404 tr = emitir(IRT(IR_ADD, IRT_PTR), tr, lj_ir_kintp(J, sizeof(GCcdata))); 1408 tr = emitir(IRT(IR_ADD, IRT_PTR), tr, lj_ir_kintp(J, sizeof(GCcdata)));
diff --git a/src/lj_ctype.c b/src/lj_ctype.c
index 7ef00521..adbacaec 100644
--- a/src/lj_ctype.c
+++ b/src/lj_ctype.c
@@ -187,8 +187,20 @@ CTypeID lj_ctype_intern(CTState *cts, CTInfo info, CTSize size)
187 } 187 }
188 id = cts->top; 188 id = cts->top;
189 if (LJ_UNLIKELY(id >= cts->sizetab)) { 189 if (LJ_UNLIKELY(id >= cts->sizetab)) {
190#ifdef LUAJIT_CTYPE_CHECK_ANCHOR
191 CType *ct;
192#endif
190 if (id >= CTID_MAX) lj_err_msg(cts->L, LJ_ERR_TABOV); 193 if (id >= CTID_MAX) lj_err_msg(cts->L, LJ_ERR_TABOV);
194#ifdef LUAJIT_CTYPE_CHECK_ANCHOR
195 ct = lj_mem_newvec(cts->L, id+1, CType);
196 memcpy(ct, cts->tab, id*sizeof(CType));
197 memset(cts->tab, 0, id*sizeof(CType));
198 lj_mem_freevec(cts->g, cts->tab, cts->sizetab, CType);
199 cts->tab = ct;
200 cts->sizetab = id+1;
201#else
191 lj_mem_growvec(cts->L, cts->tab, cts->sizetab, CTID_MAX, CType); 202 lj_mem_growvec(cts->L, cts->tab, cts->sizetab, CTID_MAX, CType);
203#endif
192 } 204 }
193 cts->top = id+1; 205 cts->top = id+1;
194 cts->tab[id].info = info; 206 cts->tab[id].info = info;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-15 21:19:27 +0000