fix sigref stack corruption #395

It was setting undef to the last stack element ($id here). save_pushptrptr takes one ptr and one element to restore. But we must use it similar to save_generic_svref, not save_sptr. Fixes cperl #395.
perl11 · Jun 27, 2019 · 178a393 · 178a393
1 parent ea5d30c
commit 178a393
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 8 deletions.
diff --git a/pod/perlcdelta.pod b/pod/perlcdelta.pod
@@ -1920,6 +1920,15 @@ CV, like C<&Safe::Root0::strict::import@>, i.e. with
 F<dist/Storable/t/code.t> The fix is similar to the AV double-free
 protection of @_ in gp_free.
 
+=item *
+
+Fixed refs signature args, which dropped their refcnt to 0 when
+leaving the sub, so use-after-free stack corruption might occur.  It
+also restored by ptr (SV**) not by value (SV*), which was unsafe when
+the ptr moved.
+L<[cperl #395]|https://github.com/perl11/cperl/issues/395>
+cperl-only relevant. perl5 uses args in @_, cperl on the stack.
+
 =back
 
 =head1 Known Problems
@@ -1928,12 +1937,6 @@ protection of @_ in gp_free.
 
 =item *
 
-Refs in signature args might drop their refcnt to 0 when leaving the sub,
-so use-after-free stack corruption might occur.
-L<[cperl #395]|https://github.com/perl11/cperl/issues/395>
-
-=item *
-
 Signature args are not yet run-time type checked, only at compile-time.
 L<[cperl #389]|https://github.com/perl11/cperl/issues/389>
 

diff --git a/pp_hot.c b/pp_hot.c
@@ -5844,8 +5844,11 @@ PP(pp_signature)
             assert(argc);
             argc--;
             DEBUG_Xv(Perl_deb(aTHX_ "  sigref padp %p = argp %p\n", *padp, *argp));
-            /* copy back temp pad to old sv at leavesub */
-            save_pushptrptr(argp, padp, SAVEt_SPTR);
+            /* copy back temp pad to old sv at leavesub. [cperl #395] */
+            save_pushptrptr(*argp, *padp, SAVEt_SPTR);
+            DEBUG_lv(Perl_deb(aTHX_ "save SPTR %p %s at &%p\n",
+                              *argp, SvPEEK(*argp), *padp));
+            SvREFCNT_inc_NN(*argp); /* as in save_generic_svref */
             SvPADSTALE_on(*padp); /* mark our pad as inactive */
             *padp++ = *argp++;    /* and overwrite new pad with old sv */
             actions >>= SIGNATURE_SHIFT;