зеркало из https://github.com/mozilla/gecko-dev.git
b3ba117711
The invoke_copy_to_stack() function passes incorrect "stack_args" and "end" arguments to the alloc_word() utility function, for parameter types T_I8..T_I64, T_U8..T_U64, T_BOOL, T_CHAR and T_WCHAR. Namely, the "end" input parameter of invoke_copy_to_stack(), which is currently incorrectly passed as "end" to alloc_word(), points to the very end of the entire exchange area between _NS_InvokeByIndex() and invoke_copy_to_stack(). However, alloc_word()'s "end" parameter should point to the end of the "ireg" (integer registers) sub-area of the exchange area. That is, "ireg_end" should be passed to alloc_word() as "end". Because invoke_copy_to_stack()'s "end" input parameter is strictly greater than "ireg_end", alloc_word() will happily trample over the "freg" (floating point registers) area, on the above-mentioned type branches, given a large enough "paramCount". Similarly, as second argument, "stack_args" should be passed to alloc_word(), pointing to the next available stack slot, for spilled-over arguments. Passing "stk", which initially points to the base of the entire exchange area (and hence the base of the "ireg" area) makes no sense. The two other alloc_word() calls in the function are correct. So centralize all calls to alloc_word() to a single location -- thereby ending up with a sole call site per alloc_XXX() function --, and compute only the last argument, "word", conditionally. This fixes an obscure SIGSEGV in AARCH64 Firefox. Triggering the bug requires a target function with seven integer-like parameters (not counting the implicit "this" -- aka "that" -- parameter), followed by at least one parameter of the above buggy types. nsIOService::NewChannel2() is such a target function, for example. DONTBUILD because NPTOB |
||
|---|---|---|
| .. | ||
| xptcall | ||
| xptinfo | ||
| moz.build | ||