diff options
| -rw-r--r-- | lib.c | 4 | ||||
| -rw-r--r-- | tests/03_bugs/02_array_pop_use_after_free | 14 |
2 files changed, 16 insertions, 2 deletions
@@ -445,14 +445,14 @@ uc_pop(uc_vm *vm, size_t nargs) arrlen = json_object_array_length(arr); if (arrlen > 0) { - item = json_object_array_get_idx(arr, arrlen - 1); + item = uc_value_get(json_object_array_get_idx(arr, arrlen - 1)); json_object_array_del_idx(arr, arrlen - 1, 1); #ifdef HAVE_ARRAY_SHRINK json_object_array_shrink(arr, 0); #endif } - return uc_value_get(item); + return item; } static json_object * diff --git a/tests/03_bugs/02_array_pop_use_after_free b/tests/03_bugs/02_array_pop_use_after_free new file mode 100644 index 0000000..22f63ff --- /dev/null +++ b/tests/03_bugs/02_array_pop_use_after_free @@ -0,0 +1,14 @@ +When popping an element off an array, especially the last one, the popped +value might have been freed before the refcount was increased later on +function return. + +-- Expect stdout -- +1 +-- End -- + +-- Testcase -- +{% + x = [1]; + print(pop(x), "\n"); // This caused a SIGABRT before the bugfix +%} +-- End -- |