From 888b2a4b13675695c8843ff1bc2455d5ccbf433d Mon Sep 17 00:00:00 2001 From: Enrico Zandomeni Borba Date: Tue, 6 Aug 2024 20:12:23 +0200 Subject: [PATCH] check ctr sizes in do_run_io amazingly this bug hadn't been caught before. we were not checking the number of arguments in `ctr` before accessing them, therefore accessing meaningless memory regions, which could lead to infinite loops as nothing would be reduced and the same "interaction" would be attempted endlessly. --- src/run.c | 7 ++++++- src/run.cu | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/run.c b/src/run.c index 51505156..13b3fa94 100644 --- a/src/run.c +++ b/src/run.c @@ -752,7 +752,7 @@ void do_run_io(Net* net, Book* book, Port port) { Ctr ctr = readback_ctr(net, book, peek(net, port)); // Checks if IO Magic Number is a CON - if (get_tag(ctr.args_buf[0]) != CON) { + if (ctr.args_len < 1 || get_tag(ctr.args_buf[0]) != CON) { break; } @@ -765,6 +765,11 @@ void do_run_io(Net* net, Book* book, Port port) { switch (ctr.tag) { case IO_CALL: { + if (ctr.args_len != 4) { + fprintf(stderr, "invalid IO_CALL: args_len = %u\n", ctr.args_len); + break; + } + Str func = readback_str(net, book, ctr.args_buf[1]); FFn* ffn = NULL; // FIXME: optimize this linear search diff --git a/src/run.cu b/src/run.cu index def5cf84..970f8a01 100644 --- a/src/run.cu +++ b/src/run.cu @@ -869,7 +869,7 @@ void do_run_io(GNet* gnet, Book* book, Port port) { Ctr ctr = gnet_readback_ctr(gnet, gnet_peek(gnet, port)); // Checks if IO Magic Number is a CON - if (get_tag(ctr.args_buf[0]) != CON) { + if (ctr.args_len < 1 || get_tag(ctr.args_buf[0]) != CON) { break; } @@ -882,6 +882,11 @@ void do_run_io(GNet* gnet, Book* book, Port port) { switch (ctr.tag) { case IO_CALL: { + if (ctr.args_len != 4) { + fprintf(stderr, "invalid IO_CALL: args_len = %u\n", ctr.args_len); + break; + } + Str func = gnet_readback_str(gnet, ctr.args_buf[1]); FFn* ffn = NULL; // FIXME: optimize this linear search