Add bound check before accessing flags array of InterpreterEmulator

Akira Saitoh · Akira Saitoh · commit 3964b99364a7 · 2021-09-09T10:48:03.000+09:00
`InterpreterEmulator::findNextByteCodeToVisit()` accesses `_InterpreterEmulatorFlags`
twice. Before the second one, `_bcIndex` can be modified with the value returned
by `findNextByteCodeToGen()`. The value can be larger than `_maxByteCodeIndex`,
which causes an out of bounds access.
This commit adds a bound check before the second access to `_InterpreterEmulatorFlags`.

Signed-off-by: Akira Saitoh &lt;saiaki@jp.ibm.com&gt;
diff --git a/runtime/compiler/optimizer/InterpreterEmulator.cpp b/runtime/compiler/optimizer/InterpreterEmulator.cpp
@@ -1240,7 +1240,7 @@ InterpreterEmulator::findNextByteCodeToVisit()
       else next();
       }
 
-   if (_InterpreterEmulatorFlags[_bcIndex].testAny(InterpreterEmulator::BytecodePropertyFlag::bbStart))
+   if (_bcIndex < _maxByteCodeIndex && _InterpreterEmulatorFlags[_bcIndex].testAny(InterpreterEmulator::BytecodePropertyFlag::bbStart))
       {
       if (isGenerated(_bcIndex))
          setIndex(Base::findNextByteCodeToGen());

Original file line number	Diff line number	Diff line change
`@@ -1240,7 +1240,7 @@ InterpreterEmulator::findNextByteCodeToVisit()`
`1240`	`1240`	`else next();`
`1241`	`1241`	`}`
`1242`	`1242`
`1243`		`- if (_InterpreterEmulatorFlags[_bcIndex].testAny(InterpreterEmulator::BytecodePropertyFlag::bbStart))`
	`1243`	`+ if (_bcIndex < _maxByteCodeIndex && _InterpreterEmulatorFlags[_bcIndex].testAny(InterpreterEmulator::BytecodePropertyFlag::bbStart))`
`1244`	`1244`	`{`
`1245`	`1245`	`if (isGenerated(_bcIndex))`
`1246`	`1246`	`setIndex(Base::findNextByteCodeToGen());`