Branch: Tag:

2017-07-05

2017-07-05 08:04:14 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Runtime: Fixed dereferance and/or free of uninitialized pointer.

The PIKE_FRAME_SAVE_LOCALS flag was unintentionally propagated
to the current frame by unlink_previous_frame(), and the
corresponding pointer is not cleared by alloc_pike_frame(), so
previously freed memory could be written to by eg F_SAVE_LOCALS,
and would be freed again by eg really_free_pike_frame().

Fixes testsuite failures.

Also adds some related paranoioa regarding the flag.

1970:    DO_IF_DEBUG(    if(X->flags & PIKE_FRAME_MALLOCED_LOCALS)    Pike_fatal("Pike frame is not supposed to have malloced locals here!\n")); -  if (X->flags & PIKE_FRAME_SAVE_LOCALS) +  if (X->flags & PIKE_FRAME_SAVE_LOCALS) {    free(X->save_locals_bitmask); -  +  X->flags &= ~PIKE_FRAME_SAVE_LOCALS; +  }    DO_IF_DMALLOC(    X->current_program=0;    X->context=0;
2617:    */    frame_set_save_sp(current, frame_get_save_sp(prev));    current->save_mark_sp=prev->save_mark_sp; -  current->flags = prev->flags; +  current->flags = prev->flags & PIKE_FRAME_RETURN_MASK;       /* Unlink the top frame temporarily. */    Pike_interpreter.frame_pointer=prev;