From ece7c42472f34dea0d57f428a5a6265e86776d66 Mon Sep 17 00:00:00 2001 From: Max Horn Date: Tue, 20 Jun 2023 16:52:36 +0200 Subject: [PATCH] Fix jl_gc_internal_obj_base_ptr The function `jl_gc_internal_obj_base_ptr` takes a pointer and tries to determine if it is a valid object pointer. As such it has to carefully validate all data it reads, and abort whenever there are obvious inconsistencies. This patch adds a check which aborts when `meta->osize` is zero, just before we perform a division-with-remainder by this value, thus avoiding a potential division-by-zero exception. This fixes a crash we are seeing in our code. The crash did not happen before PR #49644 was merged because back then there was a check for `meta->ages` not being zero, which apparently was enough to detect invalid values for `meta` (e.g. when `meta` points into a null page). --- src/gc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/gc.c b/src/gc.c index 00b0102f72653..930edbe9c67a8 100644 --- a/src/gc.c +++ b/src/gc.c @@ -4040,6 +4040,8 @@ JL_DLLEXPORT jl_value_t *jl_gc_internal_obj_base_ptr(void *p) // offset within object size_t off2 = (off - GC_PAGE_OFFSET); size_t osize = meta->osize; + if (osize == 0) + return NULL; off2 %= osize; if (off - off2 + osize > GC_PAGE_SZ) return NULL;