From 4438080fb2f654d99c265252963fcea6266b4d40 Mon Sep 17 00:00:00 2001 From: Alastair Bridgewater Date: Tue, 14 May 2013 18:45:30 -0400 Subject: [PATCH] gencgc: Fix potential out-of-bounds access in page_ends_contiguous_block_p(). * If we're testing to see if the LAST page in dynamic space is the end of a contiguous block, and it is a full page (bytes_used is GENCGC_CARD_BYTES), we turn around and start investigating the next page table entry... but there isn't one, it's beyond the end of the allocation. * Fix, by bounds-testing the page index against the index of the high-water mark for dynamic space. This is guaranteed to be no more than the total maximum for the page table, and is slightly more micro-efficient than using the actual maximum, as any page after the high-water mark will be page_free_p(). --- src/runtime/gencgc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/runtime/gencgc.c b/src/runtime/gencgc.c index ae2d5e0..27cca07 100644 --- a/src/runtime/gencgc.c +++ b/src/runtime/gencgc.c @@ -251,6 +251,8 @@ page_ends_contiguous_block_p(page_index_t page_index, generation_index_t gen) { return (/* page doesn't fill block */ (page_table[page_index].bytes_used < GENCGC_CARD_BYTES) + /* page is last allocated page */ + || ((page_index + 1) >= last_free_page) /* next page free */ || page_free_p(page_index + 1) /* next page contains no data */ -- 1.7.10.4