From 4160fb70403f6ed8b13d293deaf73e39dcc6d4dc Mon Sep 17 00:00:00 2001
From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Wed, 16 Jan 2019 18:55:16 +0300
Subject: [PATCH] Fixed heap-use-after-free introduced in 045ba10db769.

---
 njs/njs_function.c | 3 ++-
 njs/njs_vm.c       | 5 ++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/njs/njs_function.c b/njs/njs_function.c
index a831ecd0..b9ddf0e6 100644
--- a/njs/njs_function.c
+++ b/njs/njs_function.c
@@ -528,7 +528,6 @@ njs_function_native_call(njs_vm_t *vm, njs_function_native_t native,
         frame = vm->top_frame;
 
         vm->top_frame = njs_function_previous_frame(frame);
-        njs_function_frame_free(vm, frame);
 
         /*
          * If a retval is in a callee arguments scope it
@@ -552,6 +551,8 @@ njs_function_native_call(njs_vm_t *vm, njs_function_native_t native,
             *value = vm->retval;
         }
 
+        njs_function_frame_free(vm, frame);
+
         return NXT_OK;
     }
 
diff --git a/njs/njs_vm.c b/njs/njs_vm.c
index 0a5d4faa..d182e707 100644
--- a/njs/njs_vm.c
+++ b/njs/njs_vm.c
@@ -2287,12 +2287,15 @@ const njs_vmcode_generic_t  njs_continuation_nexus[] = {
 static njs_ret_t
 njs_vmcode_continuation(njs_vm_t *vm, njs_value_t *invld1, njs_value_t *invld2)
 {
+    u_char              *return_address;
     njs_ret_t           ret;
     njs_native_frame_t  *frame;
     njs_continuation_t  *cont;
 
     frame = vm->top_frame;
+
     cont = njs_vm_continuation(vm);
+    return_address = cont->return_address;
 
     ret = njs_function_native_call(vm, cont->function, frame->arguments,
                                    cont->args_types, frame->nargs,
@@ -2300,7 +2303,7 @@ njs_vmcode_continuation(njs_vm_t *vm, njs_value_t *invld1, njs_value_t *invld2)
 
     switch (ret) {
     case NXT_OK:
-        vm->current = cont->return_address;
+        vm->current = return_address;
         /* Fall through. */
 
     case NJS_APPLIED:
-- 
2.47.3