Fixed heap-use-after-free introduced in 045ba10db769.

diff --git a/njs/njs_function.c b/njs/njs_function.c
index a831ecd0f2680ab4eab6becd510f81a3ee9d32bc..b9ddf0e68ed6fab8e332f5eb2cb3c01e73f48912 100644 (file)
--- a/njs/njs_function.c
+++ b/njs/njs_function.c
@@ -528,7 +528,6 @@ njs_function_native_call(njs_vm_t *vm, njs_function_native_t native,
         frame = vm->top_frame;
 
         vm->top_frame = njs_function_previous_frame(frame);
-        njs_function_frame_free(vm, frame);
 
         /*
          * If a retval is in a callee arguments scope it
@@ -552,6 +551,8 @@ njs_function_native_call(njs_vm_t *vm, njs_function_native_t native,
             *value = vm->retval;
         }
 
+        njs_function_frame_free(vm, frame);
+
         return NXT_OK;
     }
 

diff --git a/njs/njs_vm.c b/njs/njs_vm.c
index 0a5d4faa8a5ce98b53ca555d4337d4684593348c..d182e70784ba9248aa56883949df9a6a11c281d7 100644 (file)
--- a/njs/njs_vm.c
+++ b/njs/njs_vm.c
@@ -2287,12 +2287,15 @@ const njs_vmcode_generic_t  njs_continuation_nexus[] = {
 static njs_ret_t
 njs_vmcode_continuation(njs_vm_t *vm, njs_value_t *invld1, njs_value_t *invld2)
 {
+    u_char              *return_address;
     njs_ret_t           ret;
     njs_native_frame_t  *frame;
     njs_continuation_t  *cont;
 
     frame = vm->top_frame;
+
     cont = njs_vm_continuation(vm);
+    return_address = cont->return_address;
 
     ret = njs_function_native_call(vm, cont->function, frame->arguments,
                                    cont->args_types, frame->nargs,
@@ -2300,7 +2303,7 @@ njs_vmcode_continuation(njs_vm_t *vm, njs_value_t *invld1, njs_value_t *invld2)
 
     switch (ret) {
     case NXT_OK:
-        vm->current = cont->return_address;
+        vm->current = return_address;
         /* Fall through. */
 
     case NJS_APPLIED: