Ticket #1802 (new bug)
PMC Creation Functions Can Cause Segfaults
| Reported by: | chromatic | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 2.10 |
| Component: | embed/extend | Version: | 2.8.0 |
| Severity: | medium | Keywords: | gci |
| Cc: | Language: | ||
| Patch status: | Platform: | all |
Description
The exported Parrot_pmc_new(), Parrot_pmc_new_noinit(), Parrot_pmc_new_init(), Parrot_pmc_new_init_int(), Parrot_pmc_new_constant_noinit(), Parrot_pmc_new_constant(), Parrot_pmc_new_constant_init(), and Parrot_pmc_new_constant_init() functions all take an INTVAL base_type parameter. The functions use this parameter as an index into the given interpreter's vtable array to determine which PMC to create.
These functions perform no appropriate checking to determine if the base_type is positive or within the appropriate range of values for the known vtable types. Any extension could crash Parrot by passing in an invalid value.
We should consider changing the type of the base_type to UINTVAL, but we should also perform bounds checking against interp->n_vtable_alloced in all of these functions (probably with a static function).
