Created attachment 379291 [details] [diff] [review] Fix the bug, I think Assembler-fuzzer landed on another case. You can coax a negative allocation out of NJ since it stores allocation sizes as s16 but only checks that they're u16 before inserting. Fix is to enforce a size limit and change the u16 assert to use it. And adjust callers. Not sure if this should block. It's a vaguely-potential vulnerability that I think we currently don't expose; our only users of LIR_alloc appear to all be using small alloc counts, nothing close to the limit. But it should be fixed.
Attachment #379291 - Flags: review?(gal)
Does this just need landing somewhere?
status1.9.1: --- → ?
This is not currently exploitable in TM, but we should fix it to avoid future holes.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.