DrSocalkwe3n/luajit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix IR_ABC hoisting.

Browse Source 
Reported by pwnhacker0x18. Fixed by Peter Cawley. #1194
This commit is contained in:
Mike Pall
2024-08-15 00:10:01 +02:00
parent 3bdc6498c4
commit 7369eff67d
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/lj_record.c
View File

@@ -1069,12 +1069,13 @@ static void rec_idx_abc(jit_State *J, TRef asizeref, TRef ikey, uint32_t asize)
/* Runtime value for stop of loop is within bounds? */
if ((uint64_t)stop + ofs < (uint64_t)asize) {
/* Emit invariant bounds check for stop. */
emitir(IRTG(IR_ABC, IRT_P32), asizeref, ofs == 0 ? J->scev.stop :
uint32_t abc = IRTG(IR_ABC, tref_isk(asizeref) ? IRT_U32 : IRT_P32);
emitir(abc, asizeref, ofs == 0 ? J->scev.stop :
emitir(IRTI(IR_ADD), J->scev.stop, ofsref));
/* Emit invariant bounds check for start, if not const or negative. */
if (!(J->scev.dir && J->scev.start &&
(int64_t)IR(J->scev.start)->i + ofs >= 0))
emitir(IRTG(IR_ABC, IRT_P32), asizeref, ikey);
emitir(abc, asizeref, ikey);
return;
}
}