From 53376f386127604022bb6b527ad29f23a2e8ff49 Mon Sep 17 00:00:00 2001 From: Brian Fiete Date: Thu, 2 Jun 2022 15:01:02 -0700 Subject: [PATCH] Fixed some edge cases in write-past-end detection --- BeefRT/dbg/gc.cpp | 3 ++- BeefRT/dbg/gc_raw.cpp | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/BeefRT/dbg/gc.cpp b/BeefRT/dbg/gc.cpp index 869a9ec2..1c46be6b 100644 --- a/BeefRT/dbg/gc.cpp +++ b/BeefRT/dbg/gc.cpp @@ -599,6 +599,7 @@ void* BfObjectAllocate(intptr size, bf::System::Type* objType) result = BF_do_malloc_pages(ThreadCache::GetCache(), totalSize); } + BF_ASSERT(totalSize - size <= kPageSize); *(uint16*)((uint8*)result + size) = 0xBFBF; *(uint16*)((uint8*)result + totalSize - 2) = totalSize - size; @@ -974,7 +975,7 @@ void BFGC::ObjectDeleteRequested(bf::System::Object* obj) int sizeOffset = *(uint16*)((uint8*)obj + allocSize - 2); int requestedSize = allocSize - sizeOffset; - if ((sizeOffset < 4) || (sizeOffset >= allocSize) || (sizeOffset >= kPageSize) || + if ((sizeOffset < 4) || (sizeOffset >= allocSize) || (sizeOffset > kPageSize) || (*(uint16*)((uint8*)obj + requestedSize) != 0xBFBF)) { Beefy::String err = Beefy::StrFormat("Memory deallocation detected write-past-end error in %d-byte object allocation at 0x%@", requestedSize, obj); diff --git a/BeefRT/dbg/gc_raw.cpp b/BeefRT/dbg/gc_raw.cpp index 602d44f0..f24c8554 100644 --- a/BeefRT/dbg/gc_raw.cpp +++ b/BeefRT/dbg/gc_raw.cpp @@ -632,7 +632,7 @@ void BfRawFree(void* ptr) } int markOffset = *markOffsetPtr; - if ((markOffset < 2) || (markOffset >= allocSize) || (markOffset >= kPageSize) || + if ((markOffset < 2) || (markOffset >= allocSize) || (markOffset > kPageSize + 2) || (*(uint16*)((uint8*)markOffsetPtr - markOffset) != 0xBFBF)) { int requestedSize = (uint8*)markOffsetPtr - (uint8*)ptr - markOffset;