Branch: Tag:

2020-08-11

2020-08-11 20:39:58 by Tobias S. Josefowitz <tobij@tobij.de>

Array: array_search() may not change needle's type

If the needle supplied to array_search() was a destructed object,
array_search() would convert it to (PIKE_T_INT,NUMBER_DESTRUCTED)-type 0
in-place.

Since array_search() is sometimes called with the needle residing in
another array - for example when ORing arrays - this would introduce
PIKE_T_INT items into such arrays without reflecting this in said
array's type_field.

If the type_field would then later on (still) only have BIT_OBJECT set,
we would call free_object() on the thus introduced PIKE_T_INT when
freeing array items, leading straight to a segmentation fault.

646:    }   }    - static ptrdiff_t fast_array_search( struct array *v, struct svalue *s, ptrdiff_t start ) + static ptrdiff_t fast_array_search( struct array *v, const struct svalue *s, +  ptrdiff_t start )   {    ptrdiff_t e;    struct svalue *ip = ITEM(v);
663:    * @param start the index to start search at    * @return the index if found, -1 otherwise    */ - PMOD_EXPORT ptrdiff_t array_search(struct array *v, struct svalue *s, + PMOD_EXPORT ptrdiff_t array_search(struct array *v, const struct svalue *s,    ptrdiff_t start)   {   #ifdef PIKE_DEBUG
673: Inside #if defined(PIKE_DEBUG)
  #ifdef PIKE_DEBUG    if(d_flag > 1) array_check_type_field(v);   #endif -  check_destructed(s); +  safe_check_destructed(s);       /* Why search for something that is not there?    * however, we must explicitly check for searches