types: fix invalid memory access on setting non-contiguous array indexes

When setting an array index which is beyond the end of the last currently
preallocated chunk and not evenly divisible by the chunk size, the array
entries list was not properly reallocated, resulting in invalid memory
writes.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

2 files changed, 57 insertions, 2 deletions

diff --git a/tests/custom/03_bugs/26_invalid_sparse_array_set b/tests/custom/03_bugs/26_invalid_sparse_array_set
new file mode 100644
index 0000000..4c47039
--- /dev/null
+++ b/tests/custom/03_bugs/26_invalid_sparse_array_set
@@ -0,0 +1,49 @@
+When setting an array index which is beyond the end of the last currently
+preallocated chunk and not evenly divisible by the chunk size, the array
+entries list was not properly reallocated resulting in invalid memory
+writes.
+
+-- Testcase --
+{%
+	for (i = 0; i < 32; i++) {
+		a = [];
+		a[i] = true;
+		print(length(a), "\n");
+	}
+%}
+-- End --
+
+-- Expect stdout --
+1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+-- End --
diff --git a/types.c b/types.c
index b8ad8da..de904ef 100644
--- a/types.c
+++ b/types.c
@@ -701,15 +701,21 @@ bool
 ucv_array_set(uc_value_t *uv, size_t index, uc_value_t *item)
 {
 	uc_array_t *array = (uc_array_t *)uv;
-	size_t old_count;
+	size_t old_count, new_count;
 
 	if (ucv_type(uv) != UC_ARRAY)
 		return false;
 
 	if (index >= array->count) {
 		old_count = array->count;
+		new_count = (index + 1) & ~(UC_VECTOR_CHUNK_SIZE - 1);
+
+		if (new_count > old_count) {
+			array->count = new_count;
+			uc_vector_grow(array);
+		}
+
 		array->count = index + 1;
-		uc_vector_grow(array);
 
 		while (old_count < array->count)
 			array->entries[old_count++] = NULL;