urbit/shrub
1
1
Fork 0
mirror of https://github.com/urbit/shrub.git synced 2024-12-19 08:32:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5323 from urbit/jb/ur-jam-overflow

Browse Source 
vere: fixes buffer overflow in off-loom jam
This commit is contained in:
Joe Bryan 2021-10-12 13:16:09 -07:00 committed by GitHub
commit 5ad4548ed5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
pkg/urbit/ur/hashcons.c
View File

@ -937,7 +937,6 @@ struct ur_walk_fore_s {
ur_root_t *r;
uint32_t prev;
uint32_t size;
uint32_t fill;
ur_nref *top;
};
@ -950,7 +949,6 @@ ur_walk_fore_init_with(ur_root_t *r,
w->top = _oom("walk_fore", malloc(s_size * sizeof(*w->top)));
w->prev = s_prev;
w->size = s_size;
w->fill = 0;
w->r = r;
return w;
@ -970,44 +968,41 @@ ur_walk_fore_with(ur_walk_fore_t *w,
ur_bool_t (*cell)(ur_root_t*, ur_nref, void*))
{
ur_root_t *r = w->r;
ur_nref *don = w->top;
uint32_t fill = 1;
w->top += ++w->fill;
*w->top = ref;
while ( w->top != don ) {
do {
// visit atom, pop stack
//
if ( !ur_deep(ref) ) {
atom(r, ref, v);
w->top--; w->fill--;
fill--;
}
// visit cell, pop stack if false
//
else if ( !cell(r, ref, v) ) {
w->top--; w->fill--;
fill--;
}
// push the tail, continue into the head
//
else {
*w->top = ur_tail(r, ref);
w->top[fill++] = ur_tail(r, ref);
// reallocate "stack" if full
//
if ( w->size == w->fill ) {
if ( w->size == fill ) {
uint32_t next = w->prev + w->size;
don = _oom("walk_fore", realloc(don, next * sizeof(*don)));
w->top = don + w->fill;
w->top = _oom("walk_fore", realloc(w->top, next * sizeof(*w->top)));
w->prev = w->size;
w->size = next;
}
w->top++; w->fill++;
*w->top = ur_head(r, ref);
w->top[fill] = ur_head(r, ref);
}
ref = *w->top;
}
ref = w->top[fill];
} while ( fill );
}
void

2
pkg/urbit/ur/serial.c
View File

@ -134,7 +134,7 @@ void
ur_jam_done(ur_jam_t *j)
{
ur_dict_free((ur_dict_t*)&j->dict);
free(j->w);
ur_walk_fore_done(j->w);
free(j);
}