The function optimize_code() is called, for example
when unpickling code objects. However, with corrupt
data it can cause segfaults.
This is because of code such as:
tgt = GETJUMPTGT(codestr, (i+1))
if (codestr[tgt])
continue;
tgt can in this case easily be some nonsense and
cause access violation when used as an index into
codestr. This behaviour has been observed.
My particular patch is this:
#define CHECK_I(i) do {if ((i)<0 || (i)>=codelen)
goto exitError;}while(0)
#define CHECKARG(i) do {CHECK_I(i+1); CHECK_I(i+2);}
while(0)
#define CHECKJUMPTGT(i) do{CHECKARG(i); CHECK_I(i);}
while(0)
then, adding tests such as
CHECKJUMPTGT(j);
before code that looks like
tgt = GETJUMPTGT(j);
and
CHECK_I(tgt);
before
codestr[tgt] = foo;
Also, this function needs to be able to raise an
exception. jcompile() must be able to deal with this
case.
Finally, this is also an issue in 2.3 (actually, I
discovered it there, but a quick look seems to
indicate it being a problem in 2.4 too.
|