diff options
author | Sverker Eriksson <[email protected]> | 2014-03-21 16:38:13 +0100 |
---|---|---|
committer | Sverker Eriksson <[email protected]> | 2014-03-21 16:38:13 +0100 |
commit | 78b118bc5f503435b1d9216b3a3279e0c9fd9ecd (patch) | |
tree | 308b72d2a6306509f3d33d83d3e3ba3f96987a41 | |
parent | a74e66a68f3b4ed590f928b4fd4f0808c6287a32 (diff) | |
download | otp-78b118bc5f503435b1d9216b3a3279e0c9fd9ecd.tar.gz otp-78b118bc5f503435b1d9216b3a3279e0c9fd9ecd.tar.bz2 otp-78b118bc5f503435b1d9216b3a3279e0c9fd9ecd.zip |
erts: Fix heap overflow in maps:remove/2 when key is not found
One key-value pair too many was copied.
-rw-r--r-- | erts/emulator/beam/erl_map.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/erts/emulator/beam/erl_map.c b/erts/emulator/beam/erl_map.c index 2fff7f9390..fdd2d0c0f6 100644 --- a/erts/emulator/beam/erl_map.c +++ b/erts/emulator/beam/erl_map.c @@ -647,22 +647,24 @@ int erts_maps_remove(Process *p, Eterm key, Eterm map, Eterm *res) { *mhp++ = tup; if (is_immed(key)) { - while(n--) { + while (1) { if (*ks == key) { goto found_key; - } else { + } else if (--n) { *mhp++ = *vs++; *thp++ = *ks++; - } + } else + break; } } else { - while(n--) { + while(1) { if (EQ(*ks, key)) { goto found_key; - } else { + } else if (--n) { *mhp++ = *vs++; *thp++ = *ks++; - } + } else + break; } } @@ -676,7 +678,7 @@ int erts_maps_remove(Process *p, Eterm key, Eterm map, Eterm *res) { found_key: /* Copy rest of keys and values */ - if (n) { + if (--n) { sys_memcpy(mhp, vs+1, n*sizeof(Eterm)); sys_memcpy(thp, ks+1, n*sizeof(Eterm)); } |