gencgc: Fix potential out-of-bounds access in page_ends_contiguous_block_p().

  * If we're testing to see if the LAST page in dynamic space is
the end of a contiguous block, and it is a full page (bytes_used
is GENCGC_CARD_BYTES), we turn around and start investigating the
next page table entry... but there isn't one, it's beyond the end
of the allocation.

  * Fix, by bounds-testing the page index against the index of the
high-water mark for dynamic space.  This is guaranteed to be no
more than the total maximum for the page table, and is slightly
more micro-efficient than using the actual maximum, as any page
after the high-water mark will be page_free_p().

diff --git a/src/runtime/gencgc.c b/src/runtime/gencgc.c
index ae2d5e0..27cca07 100644 (file)
--- a/src/runtime/gencgc.c
+++ b/src/runtime/gencgc.c
@@ -251,6 +251,8 @@ page_ends_contiguous_block_p(page_index_t page_index, generation_index_t gen)
 {
     return (/* page doesn't fill block */
             (page_table[page_index].bytes_used < GENCGC_CARD_BYTES)
+            /* page is last allocated page */
+            || ((page_index + 1) >= last_free_page)
             /* next page free */
             || page_free_p(page_index + 1)
             /* next page contains no data */