From 355862530b9ccefe06f3cf339fc9437758cff9a4 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Tue, 11 Sep 2018 15:35:27 +0300 Subject: [PATCH] Fixed macro for aligned size of njs_frame_t struct. NJS_FRAME_SIZE did not take into account the variable length of closures array. This can result in overlapping addresses for native_frame->arguments and frame->closures[n], --- njs/njs_function.c | 8 ++++---- njs/njs_function.h | 5 +++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/njs/njs_function.c b/njs/njs_function.c index 1c31670e..96d50d8a 100644 --- a/njs/njs_function.c +++ b/njs/njs_function.c @@ -166,10 +166,9 @@ njs_function_frame(njs_vm_t *vm, njs_function_t *function, closures = lambda->nesting + lambda->block_closures; - size = NJS_FRAME_SIZE + size = njs_frame_size(closures) + (function->args_offset + max_args) * sizeof(njs_value_t) - + lambda->local_size - + closures * sizeof(njs_closure_t *); + + lambda->local_size; native_frame = njs_function_frame_alloc(vm, size); if (nxt_slow_path(native_frame == NULL)) { @@ -182,7 +181,8 @@ njs_function_frame(njs_vm_t *vm, njs_function_t *function, /* Function arguments. */ - value = (njs_value_t *) ((u_char *) native_frame + NJS_FRAME_SIZE); + value = (njs_value_t *) ((u_char *) native_frame + + njs_frame_size(closures)); native_frame->arguments = value; bound = function->bound; diff --git a/njs/njs_function.h b/njs/njs_function.h index f7ced9d9..a3bfc655 100644 --- a/njs/njs_function.h +++ b/njs/njs_function.h @@ -45,8 +45,9 @@ struct njs_function_lambda_s { nxt_align_size(sizeof(njs_native_frame_t), sizeof(njs_value_t)) /* The frame size must be aligned to njs_value_t. */ -#define NJS_FRAME_SIZE \ - nxt_align_size(sizeof(njs_frame_t), sizeof(njs_value_t)) +#define njs_frame_size(closures) \ + nxt_align_size(sizeof(njs_frame_t) + closures * sizeof(njs_closure_t *), \ + sizeof(njs_value_t)) /* The retval field is not used in the global frame. */ #define NJS_GLOBAL_FRAME_SIZE \ -- 2.47.3