Skip to content

Commit 5fbad53

Browse files
committed
dont use mrb_alloca
1 parent cb63ab9 commit 5fbad53

7 files changed

Lines changed: 22 additions & 11 deletions

build_config.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ def for_windows?
44
('A'..'Z').to_a.any? { |vol| Dir.exist?("#{vol}:") }
55
end
66
unless for_windows?
7-
#conf.enable_sanitizer "address,undefined"
7+
conf.enable_sanitizer "address,undefined"
88
end
99
conf.cxx.flags << '-fno-omit-frame-pointer' << '-g3' << '-ggdb3' << '-Og'
1010
conf.cc.flags << '-fno-omit-frame-pointer' << '-g3' << '-ggdb3' << '-Og'

fuzz/bintest/mruby-cbor-fuzzer.rb

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,12 @@
1212
cmd = cmd_list('mruby-cbor-fuzzer') + [
1313
CORPUS_DIR,
1414
"-dict=#{DICT_FILE}",
15-
"-jobs=7",
15+
"-jobs=3",
1616
"-artifact_prefix=#{findings_dir}/",
1717
"-max_len=65536",
18-
"-ignore_ooms=0",
19-
"-use_value_profile=1"
18+
"-ignore_ooms=1",
19+
"-use_value_profile=1",
20+
"-rss_limit_mb=3072"
2021
]
2122

2223
Dir.chdir(findings_dir) do

fuzz/corpus/659e18039fb7c9fa02fa1ee081216907b8349e30

Lines changed: 0 additions & 1 deletion
This file was deleted.
-9.02 KB
Binary file not shown.
-198 Bytes
Binary file not shown.
-111 Bytes
Binary file not shown.

src/mrb_cbor.c

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ MRB_END_DECL
2626
/* Configurable CBOR recursion depth limits */
2727
#ifndef CBOR_MAX_DEPTH
2828
#if defined(MRB_PROFILE_MAIN) || defined(MRB_PROFILE_HIGH)
29-
#define CBOR_MAX_DEPTH 512
29+
#define CBOR_MAX_DEPTH 128
3030
#elif defined(MRB_PROFILE_BASELINE)
3131
#define CBOR_MAX_DEPTH 64
3232
#else
@@ -964,16 +964,26 @@ encode_bignum(CborWriter *w, mrb_value obj)
964964
}
965965

966966
mrb_value mag = mrb_bint_abs(mrb, obj);
967+
mrb_gc_protect(mrb, mag);
967968
if (sign < 0) {
968969
mrb_value one = mrb_fixnum_value(1);
969970
mag = mrb_bint_sub(mrb, mag, one);
970971
}
972+
mrb_gc_protect(mrb, mag);
971973

972974
mrb_value hex = mrb_bint_to_s(mrb, mag, 16);
973-
mrb_gc_register(mrb, hex);
974-
char *p = RSTRING_PTR(hex);
975+
mrb_gc_protect(mrb, hex);
976+
975977
mrb_int len = RSTRING_LEN(hex);
978+
// Copy into a C buffer now, before any further mruby allocations
979+
char *hbuf = (char*)mrb_malloc(mrb, len + 2); // +2 for odd-pad + NUL
980+
memcpy(hbuf, RSTRING_PTR(hex), len);
981+
hbuf[len] = '\0';
982+
983+
// hex no longer needed as a live mruby object
984+
mrb_gc_arena_restore(mrb, idx);
976985

986+
char *p = hbuf;
977987
while (len > 0 && *p == '0') { p++; len--; }
978988

979989
if (len == 0) {
@@ -982,8 +992,8 @@ encode_bignum(CborWriter *w, mrb_value obj)
982992
encode_len(w, 2, 1);
983993
uint8_t zero = 0;
984994
cbor_writer_write(w, &zero, 1);
985-
mrb_gc_unregister(mrb, hex);
986995
mrb_gc_arena_restore(mrb, idx);
996+
mrb_free(mrb, hbuf);
987997
return;
988998
}
989999

@@ -996,10 +1006,11 @@ encode_bignum(CborWriter *w, mrb_value obj)
9961006

9971007
if (odd) { memmove(p + 1, p, len); p[0] = '0'; }
9981008

999-
uint8_t *out = (uint8_t*)mrb_alloca(mrb, byte_len);
1009+
uint8_t *out = (uint8_t*)mrb_malloc(mrb, byte_len);
10001010
hex_decode_scalar(out, p, byte_len);
10011011
cbor_writer_write(w, out, (size_t)byte_len);
1002-
mrb_gc_unregister(mrb, hex);
1012+
mrb_free(mrb, hbuf);
1013+
mrb_free(mrb, out);
10031014
mrb_gc_arena_restore(mrb, idx);
10041015
}
10051016
#endif

0 commit comments

Comments
 (0)