Startsida Utforska Hjälp
Logga in
c
/
LuaJIT
spegling av https://github.com/LuaJIT/LuaJIT.git
2
0
Fork 0
Filer Ärenden 0 Wiki
Bläddra i källkod

Fix IR_ABC hoisting.

Reported by pwnhacker0x18. Fixed by Peter Cawley. #1194
Mike Pall 1 år sedan
förälder
3bdc6498c4
incheckning
7369eff67d
2 ändrade filer med 6 tillägg och 4 borttagningar
Delad Vy Visa Diff Statistik
  1. 3 2
      src/lj_opt_fold.c
  2. 3 2
      src/lj_record.c

+ 3 - 2
src/lj_opt_fold.c
Visa fil 

@@ -1702,9 +1702,10 @@ LJFOLDF(abc_k)
 
 LJFOLD(ABC any any)
 
 LJFOLDF(abc_invar)
 
 {
 
-  /* Invariant ABC marked as PTR. Drop if op1 is invariant, too. */
 
+  /* Invariant ABC marked as P32 or U32. Drop if op1 is invariant too. */
 
   if (!irt_isint(fins->t) && fins->op1 < J->chain[IR_LOOP] &&
 
-      !irt_isphi(IR(fins->op1)->t))
 
+      (irt_isu32(fins->t) ||
 
+       (!irref_isk(fins->op1) && !irt_isphi(IR(fins->op1)->t))))
 
     return DROPFOLD;
 
   return NEXTFOLD;
 
 }

+ 3 - 2
src/lj_record.c
Visa fil 

@@ -1069,12 +1069,13 @@ static void rec_idx_abc(jit_State *J, TRef asizeref, TRef ikey, uint32_t asize)
 
       /* Runtime value for stop of loop is within bounds? */
 
       if ((uint64_t)stop + ofs < (uint64_t)asize) {
 
 	/* Emit invariant bounds check for stop. */
 
-	emitir(IRTG(IR_ABC, IRT_P32), asizeref, ofs == 0 ? J->scev.stop :
 
+	uint32_t abc = IRTG(IR_ABC, tref_isk(asizeref) ? IRT_U32 : IRT_P32);
 
+	emitir(abc, asizeref, ofs == 0 ? J->scev.stop :
 
 	       emitir(IRTI(IR_ADD), J->scev.stop, ofsref));
 
 	/* Emit invariant bounds check for start, if not const or negative. */
 
 	if (!(J->scev.dir && J->scev.start &&
 
 	      (int64_t)IR(J->scev.start)->i + ofs >= 0))
 
-	  emitir(IRTG(IR_ABC, IRT_P32), asizeref, ikey);
 
+	  emitir(abc, asizeref, ikey);
 
 	return;
 
       }
 
     }