erts: Reject decoded local refs with too large first word

author: Sverker Eriksson <[email protected]> 2019-03-21 20:29:34 +0100
committer: Sverker Eriksson <[email protected]> 2019-03-22 19:40:36 +0100
commit: 3b61e5f55b13b7a16eadcc87582790ff6048b5af (patch)
tree: 2057865a68ed6f1996a5d34b3c16ff07ff414f35
parent: 452b5ff296efffaf24cce51993e0b00e2cb48885 (diff)
download: otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.tar.gz
otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.tar.bz2
otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.zip
1 files changed, 8 insertions, 1 deletions
diff --git a/erts/emulator/beam/external.c b/erts/emulator/beam/external.c
index 265292f519..471c1c3938 100644
--- a/erts/emulator/beam/external.c
+++ b/erts/emulator/beam/external.c
@@ -3579,7 +3579,7 @@ dec_term_atom_common:
 
 		cre = get_int32(ep);
 		ep += 4;
-		r0 = get_int32(ep); /* allow full word */
+		r0 = get_int32(ep);
 		ep += 4;
 
 	    ref_ext_common: {
@@ -3590,6 +3590,13 @@ dec_term_atom_common:
 
 		node = dec_get_node(sysname, cre, make_boxed(hp));
 		if(node == erts_this_node) {
+                    if (r0 >= MAX_REFERENCE) {
+                          /*
+                           * Must reject local refs with more than 18 bits
+                           * in first word as magic ref table relies on it.
+                           */
+                        goto error;
+                    }
 	
 		    rtp = (ErtsORefThing *) hp;
 		    ref_num = &rtp->num[0];
author	Sverker Eriksson <[email protected]>	2019-03-21 20:29:34 +0100
committer	Sverker Eriksson <[email protected]>	2019-03-22 19:40:36 +0100
commit	3b61e5f55b13b7a16eadcc87582790ff6048b5af (patch)
tree	2057865a68ed6f1996a5d34b3c16ff07ff414f35
parent	452b5ff296efffaf24cce51993e0b00e2cb48885 (diff)
download	otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.tar.gz otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.tar.bz2 otp-3b61e5f55b13b7a16eadcc87582790ff6048b5af.zip